Man In The Middle Attacks
A Man-In-The-Middle (MiTM) attack is when a malicious individual sits between two communicating parties and intercepts all communications. Usually, the attacker has managed to slip between the sender and recipient before they’ve had a chance to set up any form of encryption – which means anything and everything done online is entirely visible.
How does the attack work?
There are multiple ways to create a man in the middle set up.
One common attack method is for a victim to be sent an email. The email usually contains a link that when clicked, appears to take you to a legitimate site. Unfortunately, the website is anything but, and will promptly download malicious software onto the user’s device if it’s vulnerable to attack. This malware records any data being sent between the victim’s browser and a website of interest - such as financial institution. The data is then transmitted to the attacker who will use the information for personal gain.
In another type of attack, the cybercriminal will intercept communications by attacking a vulnerable Wi-Fi router. This might be a hub found in public areas or even in someone’s home. The router is scanned for security vulnerabilities such as a weak password and then, using freely available software, the hacker will intercept and read transmitted data such as log in credentials, banking details, and other sensitive information.
It is also possible for an attacker to set up their own Wi-Fi hotspot, giving it a legitimate name to encourage unsuspecting users to connect. As soon as a victim uses the connection, however, any online activity is compromised.
This involves a hacker infiltrating an organisation’s email account. They will read emails and eavesdrop on communications. At some point, they move from listening to faking (or ‘spoofing’) messages. These messages appear legitimate and ask recipients to send money or sensitive information.
Being able to send and receive messages requires two types of addresses. An IP address – this might get a message to your place of work, and then a MAC address - which might get the message to your device, rather than anyone else who happens to be using the internet at the same time. In an ARP attack, the hacker convinces the router that the IP address should be turned into their MAC address – not yours. The router then tells every other device on the network about this change, meaning the attacker gets to see the victim’s traffic lock, stock and barrel.
This is very much like an ARP attack. Let’s say we are using the address www.yourbank.com. Now a DNS Server is supposed to turn this web address into an actual IP address to send all your traffic to – in this case - your bank. But what if I can corrupt the way the DNS server works and tell it to turn this web address into my IP address and not the legitimate one? The victim is then forced to visit my fake website and interact with me.
HOW TO MITIGATE THE RISKS OF MITM ATTACKS
AVOID PUBLIC Wi-Fi:
Especially if you intend to conduct sensitive transactions or correspondence. In fact, it is a good idea to turn your Wi-Fi off altogether when you are out and about to prevent unintended connections.
If this is not an option, then consider purchasing a VPN and leaving it turned on. A VPN will encrypt traffic so that even if your connection is compromised, the attacker is unable to decipher what is being sent.
Employees that work on the go need to understand the dangers of public Wi-Fi and the importance of securing a connection using a company sanctioned VPN.
HARDEN YOUR ROUTER:
Most internet service providers have help pages and even video tutorials demonstrating how to rename your Wi-Fi. This hides the make and model of the hub, which makes it more difficult to attack.
You should also change any default usernames and passwords, because these are easily researched by attackers.
Finally, it is possible to encrypt all communication between an electronic device and a hub by setting up ‘WPA2 Personal’ for home users and ‘WPA2 Enterprise’ for organisations.
Businesses in particular, should be mindful of how far a Wi-Fi signal extends beyond the premise and the importance of conducting a site survey to check signal strength and the presence of an ‘evil twin’ or ‘rogue access point’.
HARDEN YOUR DEVICE:
Check if your browser is up-to-date by visiting a reputable site such as whatismybrowser.com. Additionally, always update your device as soon as possible to make sure that it is not vulnerable to attack.
Using an antivirus and a firewall product from a reputable company will also go a long way to providing peace of mind – especially as most MiT attacks rely on the installation of malicious software.
Finally, it's a good idea to download a free vulnerability scanner - such as OpenVAS - and point them at your network to be sure you security posture is sufficiently robust.
BE WARY OF PHISHING EMAILS:
Unexpected emails requesting you to update your password or any other login credentials should set alarm bells ringing.
Instead of clicking a link, always confirm the authenticity of an email by contacting the organisation using alternative methods.
Unexpected invoices or requests for payments should also be investigated to reduce the likelihood of fraud.
If staff have not be trained to follow such procedures, and if they don't know what a phishing email looks like, then there is a very good chance that your organisation will eventually succumb to such an attack. Offer training and then test the success of your campaigns by running a free phishing simulator such as GoPhish.
For organisations, ARP attacks are difficult to protect against.
It is possible to map IP addresses directly to MAC addresses manually but this involves significant administrative overhead and is not a practical solution if the organisation is large. In this case, a commercial Arp poisoning detector is probably preferable.