Malwarebytes reported a massive surge of 1,677% in the detection of spyware between January 1 and June 30, 2020. In a man in the middle attack, the attacker spies on the conversation between the server and client, using malware or other methods to do it. To combat and prevent these types of attacks, it helps to understand them first. So, let’s explore the types of man in the middle attacks that you need to know about…
Have you ever watched an action movie where a good spy (like James Bond or Black Widow) intercepts a secret communication? This person is what’s known as a man in the middle attacker, but we don’t mind in this case because they’re a “good guy/gal” in the film. But in a real world man in the middle attack, a MitM attacker’s intentions typically aren’t so good. Instead, a cybercriminal places themselves between two communicating parties so that they can intercept, read, and alter the data. The attacker can place themselves at any point along the communication chain to carry out this type of cyber attack.
But what are the different types of man in the middle attacks? Let’s explore them all more in depth.
Breaking Down 8 Types of Man in the Middle Attacks
A man in the middle attack can be used alone or as part of a bigger scheme. Either way, the purpose behind the attack is gaining information or money. A man in the middle attack, which can be carried out from any layer of the protocols governing the communication chain, can be separated into different types according to how an attacker carries it out (i.e., what methods they use).
But first, if you’re not sure what a man in the middle attack is, we’ve explained it all here.
Method 1: Attack on Encryption
Attacks on encryption can be launched on any of the three OSI layers — application, presentation, and transport.
Security protocols like SSL/TLS are used to secure the communication channel between the client and the server. However, sometimes cybercriminals manage to bypass or manipulate these security protocols to intercept a so-called “secure” communications. There are three types of man in the middle attacks on encryption. Let’s have a look.
1. HTTPS Spoofing
For this first type of man in the middle attack on our list, some experts say it’s a MitM attack while others say it’s a phishing attack method instead. With HTTPS spoofing, a criminal creates a fake HTTPS website by spoofing the address of a legitimate website. Then they send a link for this fake website to unsuspecting users who visit the fake site, opening themselves up to attack.
How Does an HTTPS Spoofing Attack Work?
In April 2017, Xudong Zheng presented a proof of concept to prove how he could manipulate the user into believing that they were accessing the legitimate Apple website when actually it was, in reality, an imposter website. This is by using special characters that visually look identical to the English language alphabet.
Xudong Zheng wanted to show how it was possible to register domains with foreign characters using Punycode. When Unicode characters were used to register the domain name “xn-pple-43d.com”, the equivalent domain name that was visually represented was “apple.com.” This fake site used Cyrillic “a” (U+0430) instead of the ASCII “a” (U+0061). This spoofing attack is also called script spoofing.
As many Unicode characters are difficult to distinguish from ASCII characters, cybercriminals can use them to register phony websites. The attackers can not only register DNS names that look like the original DNS, but they can also get low-level SSL certificates (i.e., domain validation certificates) for these websites to try to make them seem more legitimate. When an attacker sends the URL of a dodgy site to their target, the unsuspecting victim clicks on the URL and falls right into the criminal’s trap. This type of attack is also known as a homograph attack or internationalized domain name (IDN) homograph attack.
While the bad guys use homographic (also known as homoglyphic) attacks, the good guys have been working to protect us. Google Chrome version 51 and later, Microsoft Edge, Firefox, and Opera block sites that use more than one language for their IDN, and many browsers also warn users when they try to access such malicious sites.
The simplest way to avoid such scams is to never click on URLs sent to you via emails, messages, or pop-ups. If you want to visit a website, you should manually type the website name in your browser to shield yourself from a man in the middle attack.
2. SSL Hijacking
SSL hijacking attacks are man in the middle attacks in which the criminal hijacks a user’s legitimate session and pretends to be that user. The server will not know that the person making the transaction is not the intended user.
SSL hijacking attacks are also known as session hijacking or cookie jacking attacks. SSL hijacking involves stealing session ID/session key to gain unauthorized control over the victim’s session.
How Does an SSL Hijacking Attack Work?
Once the criminal gains control of the session, they can do everything a user is authorized to do on their account— transfer or withdraw money, buy stuff, even change the victim’s account details. The previous figure is a representation of an SSL hijacking attack.
So, the question is, how does a criminal get ahold of a session key for the attack? These are some mistakes that website owners and users make that makes the session vulnerable:
- Using predictable variables to generate a session ID: It becomes easier to guess a session ID when it is generated using predictable variables like login date and time, IP address, or previous session ID. Although this practice is becoming increasingly uncommon, some websites make the mistake of using such IDs. A cybercriminal can easily use a brute force attack to guess these predictable versions of the session ID.
- Securing only a part of the website rather than the full website: Some website owners prefer to use SSL certificates on the login and payment pages but choose to save money on the other pages. Cybercriminals can easily access the communication when the user clicks on an unsecured page. The threat actor can also access the cookies that will have information about the login page.
- Clicking on links in phishing emails: The bad guys are known to send phishing emails with session IDs to the users. When the user clicks on the link, they will start a session on the account with this attacker-defined session ID. These types of attacks are known as session fixation attacks.
Moreover, a phishing email can also contain a link to a malicious website. The infected page on the website will lure the user device to execute a script (usually JavaScript) that will send the session cookies to the attacker. The attacker can hijack the entire session with the cookie. This type of attack is known as a cross-site scripting attack (XSS).
- Buying hardware from unreliable sources: When a user sources hardware from unreliable merchants, the hardware might be loaded with malware. Usually, this malware is designed to steal user information from the hardware’s owner and send it to the cybercriminal. The bad guys can also steal the cookies from the user’s device and gain access to their sessions.
3. SSL Stripping
SSL stripping, also known as a downgrade attack, is a type of man in the middle attack where the criminal reduces the security of a website’s connection so they can access the communications between a client and the server it connects to.
What is the number one method used for website security? It’s TLS, of course. The TLS protocol is developed to secure the communication between the website and the server, and it works. But guess what, the cybercriminals still find a way around it to launch MitM attacks.
Computer security researcher Moxie Marlinspike presented a security flaw at Black Hat 2009 in Washington D.C. He showed that HTTP sites are loaded first, quickly followed by the SSL certificate. The result is a secure HTTPS connection. But in the short time before the SSL certificate is loaded, an attacker has a tiny window of opportunity where they can send the unsecured HTTP site to the user instead of the secure version. The result?
- The user will continue their communication, thinking they are secure.
- The server will also think there is a secure connection with a legitimate user.
- Meanwhile, the MitM has access to a secure connection with the server and an open connection with the user. This means that the attacker can access everything passed between the user and server.
How Does an SSL Stripping Attack Work?
When the user makes a request for an HTTPS website, the attacker downgrades the HTTPS to an HTTP version of the same website. The HTTP version is not secure, and the attacker can read everything between the client and the server. They can also alter and manipulate the whole conversation. An SSL stripping attack looks like this:
There are four steps involved in an SSL stripping attack:
- The user requests access to “https://example.com”
- The MitM passes on the user request to the server
- The server responds with the secure site “https://example.com”
- The MitM exploits the vulnerability and sends unsecured site “http://example.com” to the user
This may leave you wondering how a cybercriminal can degrade the security protocol. They can do this in one of three ways:
- Manually setting the proxy of the browser to route all traffic
- Using ARP poisoning
- Creating a hotspot and getting victims to connect to it
To avoid SSL stripping attacks, always check that you are working on an HTTPS site and have not shifted to an HTTP page during the session. Being mindful about the URL goes a long way to prevent greater woes. Another way to defend yourself against SSL stripping is by implementing HSTS policy – a stringent policy where only HTTPS sites are allowed to load.
Method 2: Interception
With this method, the cybercriminal uses the communication protocol layers to intercept the conversation between two nodes on the internet. A criminal might just observe the data transferred from a place on the network near the communicating devices, or they can redirect the whole traffic through a node controlled by them. There are five types of man in the middle attacks that use interception:
4. IP Spoofing
When a cybercriminal spoofs the IP headers of the TCP packets transferred between two devices that trust each other, they can redirect the traffic to their chosen location. This is known as IP spoofing. An IP spoofing attack is most commonly used to create a backdoor to the victim’s IT systems by gaining root access to the host. The attack capitalizes on the trust between the two devices and is typically used as part of a larger scheme to launch a cyber attack on the target.
Data is transferred on the internet by using an internet protocol (IP) that packages it into packets. The packet headers contain the identity of the sender and the receiver in the form of IP addresses. If an attacker changes the sender’s IP address on the data header, it will look like it has come from the spoofed IP address. IP is a stateless protocol, so no data from the previous sessions are retained.
How Does an IP Spoofing Attack Work?
First, the attacker finds the IP address of the trusted host in a network. Cybercriminals are well versed in predicting TCP sequence numbers to construct a TCP packet on their own. They’ll send a message to the computer by altering the packet headers to give an impression that they’re coming from that trusted host. As it is a trusted host, the target might start communicating without further inquiries.
Unfortunately, this attack is possible because the routers totally ignore the sender’s IP address, concentrating on the destination IP address. The attacker might even change the routing table to redirect the traffic on the victim network to the node he controls. The computers on the victim network might not even be aware of the forged route and continue to communicate.
The attacker can be a silent observer but can also send emails or documents from the official email address of anybody from the target company.
IP spoofing happens while the three-way TCP handshake is carried out between the client and the server. The following steps are followed in a normal TCP handshake:
- Client sends sequence number, SYNx, to server
- Server responds with Acknowledgement ACK(x+1) + SYNy
- Client responds with ACK (y+1)
The attacker replies to the server with an estimation of “y” before the client can reply. If their estimation is correct, the server will think that they are the real client. IP spoofing is only possible if the attacker responds with a correct answer before the client, so this is a challenging attack to pull off.
5. ARP Spoofing
Next on our list of the types of man in the middle attacks is ARP spoofing. An ARP spoofing attack allows bad guys to intercept specific types of communications between network devices. More specifically, ARP spoofing allows an attacker to send a phony address resolution protocol (ARP) message via a local area network (LAN) to deceive the server into trusting it, ultimately misdirecting all the traffic to their device.
How Does an ARP Spoofing Attack Work?
The figure shown below will help you understand the concept better. As you can see, four devices are connected to a LAN with gateway 172.14.0.4. All the traffic that goes out to the server has to go through LAN. A criminal will disguise their device as one of the devices of the network to penetrate it.
Under ideal circumstances, the following steps take place:
- A network device sends a broadcast ARP request to locate a MAC address that corresponds to an IPv4 address.
- A legitimate device with an IP address that matches the request sends a reply.
- The device sending the request will cache the ARP reply in the ARP table.
The story gets interesting when a man in the middle gets in. The attacker sends back the reply when any network device shouts out to locate a MAC address. If the attacker manages to map their MAC address to an authentic IP address, they are in a position to receive every communication meant for the legitimate device.
Sometimes the attacker goes a step further and sends an ARP message with the IP address of the default gateway to capture all traffic on the LAN. All devices on the network will map the attacker’s IP address as the default gateway. This is called ARP poisoning, as the ARP tables of the devices are ‘poisoned’ with the attacker’s IP address.
Some people use the terms ‘ARP spoofing’ and ‘ARP poisoning’ interchangeably. However, there is a difference between the two. In ARP spoofing, the attacker will send their MAC address in response to a request from a device on the LAN. So, they spoof the ARP for impersonating the victim. On the other hand, in ARP poisoning, the attacker will go ahead and modify the ARP tables of one or more devices on the LAN.
6. Automatic Proxy Discovery Attack
A web proxy is established in enterprises where security is a primary concern. All the web traffic passes through the proxy server after a thorough inspection of all the application layers for possible threats. WPAD (web proxy auto-discovery) is a protocol designed to assist clients in discovering the proxy automatically.
Although automatic proxy discovery saves time for the programmer as they don’t have to configure every device, WPAD is susceptible to MitM attacks. If the system administrator doesn’t want to configure the proxy server locally, they have two options for publishing the location of the proxy file:
- DHCP (dynamic host configuration protocol): The web browser first looks for the proxy configuration on the DHCP server before it turns to DNS. DHCP is built on UDP and IP. A cybercriminal might set up a malicious DHCP server and send a single spoofed UDP packet with details about the proxy configuration to the browser to launch a DHCP attack. The installation of proper firewalls can protect you from this kind of attack.
- DNS (domain name system): Like DHCP, DNS also uses UDP; therefore, cybercriminals can intercept the communication by altering the proxy configuration packet. Additionally, when an organization uses the highest level of the domain to enable WPAD, attackers might benefit by spoofing a subdomain under the primary domain. For instance, if the browser query for x.y.z.com is sent, the DNS server will first query x.y.z.com. If there is no reply, it will query y.z.com. If there is no reply there, too, the browser will query z.com. If the organization has used z.com for enabling WPAD, the criminal might spoof another subdomain to launch an attack.
One method to protect yourself from an automatic proxy discovery attack is to turn off automatic proxy detection on your device. The following screenshot shows how to turn off automatic proxy detection in Windows.
7. DNS Spoofing
Next on our list of the types of man in the middle attacks: DNS spoofing. This type of attack occurs when a cybercriminal replaces a legitimate IP address in a DNS server’s records. By doing this, the attacker can misdirect site visitors’ clients to a fake website instead of the real one.
The domain name system (DNS) is a protocol for mapping the destination IP address when a request is raised by a client. When a request is raised for a specific website, the browser and the operating system (OS) looks for a corresponding entry from the memory cache or the device’s internal storage. If it doesn’t find it there, then it raises the query to search for that IP address through different servers. When it finds the matching IP address, it connects the client to it.
How Does a DNS Spoofing Attack Work?
With a fake DNS record, the user will be unaware that they are on a fake website and will use their login credentials to access their account. The MitM watches the fake website and can retrieve the client’s credentials from it. They can then use the credentials to log into the original website as the user, enabling them to retrieve all the information of the client.
The cybercriminal can go a step further and change the DNS records of a website to list their own website as the original one. This way, every time a client opens the website, they will be directed to the fake website. This method is called DNS poisoning or cache poisoning.
The DNS system is very much like an address book you keep to note down the addresses of your family and friends. If somebody changes the address on the address book, you might not know, but your letters will be delivered to the wrong person who can read and use them for malicious purposes. In the same manner, a cybercriminal spoofs the DNS records to carry out a DNS spoofing attack.
8. BGP Misdirection
BGP misdirection is an attack where a cybercriminal redirects the internet traffic to a malicious route by spoofing the IP prefixes.
The border gateway protocol (BGP) is the routing protocol for the internet. It is like a grid that connects all the networks to each other. Generally, the BGP protocol is responsible for finding the best route for the requests raised by the devices. The protocol accesses the DNS records of the website to direct any query from the clients to the correct IP address.
How Does a BGP Misdirection Attack Work?
So, what is BGP misdirection? Well, this type of man in the middle attack is exactly what the name implies — it’s a malicious misdirection of BGP protocol to reroute the traffic through a cybercriminal-controlled network. As traffic passes through this spoofed network, the bad guy will be able to intercept, read, or even change the data before it reaches its destination.
One of the contributing factors in making a BGP misdirection attack successful is that the server and the client are unaware that their data is intercepted. A cybercriminal can easily stay undetected and intercept a huge amount of traffic.
Let’s understand BGP misdirection with the help of an example. If you are around lower Manhattan and want to drive to Central Park you’ll follow the road signs and reach your destination. Normally, you won’t have to go through Brooklyn to reach Central Park. But what if a malicious person wants you to take a route via Brooklyn? They might tweak the road signs to misdirect the traffic so that it passes through Brooklyn. An unsuspecting person might not even realize they are being misdirected because ultimately, they will reach Central Park.
BGP is akin to a GPS system on your phone. It directs all the computing devices to their destination via the shortest possible route. However, cybercriminals use BGP misdirection to route all the desired traffic through a node under their control. This way, they can monitor and intercept the network traffic. The users and the server aren’t aware that redirection has taken place, and they continue to communicate as if no one is watching.
In a recent BGP misdirection event, Vodafone’s autonomous network based in India had a BGP routing leak that impacted many U.S. companies, including Google. Unusually, the leak was a result of a mistake, not a malicious attack. While the misdirection lasted for just 10 minutes, countless users around the world were affected, causing a huge spike in traffic. Basically, it became a self-inflicted DDoS attack for Vodafone.
SSL Beast (Browser Exploit Against SSL/TLS)
‘Beast’ stands for browser exploit against SSL/TLS. In an SSL beast attack, cybercriminals use the vulnerabilities created when a website uses outdated SSL/TLS certificates to gain access to the site’s communications. We’re including this on our list of the different types of man in the middle attacks because it’s something you should be aware of when trying to understand what the attacks are so you can prevent them from occurring in the future.
One of the best defenses against this type of MitM attack is having an SSL certificate for your website. However, if you are still using TLS 1.0 or any version of SSL, you are prone to an SSL beast attack. The SSL beast attack plays on vulnerabilities in these protocols to launch a man in the middle attack.
TLS encryption uses block ciphers with symmetric encryption. The popular block ciphers are DES, 3DES, and AES. SSL/TLS uses cipher block chaining (CBC) to chain the blocks with the previous one using logical XOR operation. Thus, the value of every block is dependent on the value of the previous block. The problem arises when it is time to send the last block. The last block might not have enough data to fill it, and so it’s padded with random content.
How Does an SSL Beast Exploit Attack Work?
If the attacker wants to break the code of encryption, they need to know the initialization vector for the string. They can break the block cipher by trying different combinations and comparing them using the initialization vector. If the block is 16 bytes, the attacker would have to try 25616 different combinations to guess it correctly. That’s a Herculean task.
To make it easier, the attacker carries out the SSL beast attack where they test a byte at a time. After the attacker guesses one byte correctly, they can block with 256 combinations of this byte. They carry out the same process for the next byte. The following figure represents the SSL beast attack.
Due to the complexity of the process, SSL beast attacks are not that common. However, if you are using any protocol below TLS 1.1 (which you shouldn’t be since it was deprecated), you should be warned that you are vulnerable to this type of attack. The obvious security option is to upgrade your security protocol regularly to keep your communication secure.
Final Words on the Different Types of MitM Attacks
We hope this article has answered your two-part question, “what are the different types of man in the middle attacks and how do they work?” As all of these types of MitM attacks are carried out using different techniques, they require different methods of prevention. We will learn about the detailed man in the middle attack prevention methods in our next article in this series.
Circling back to the movie spy character we mentioned at the beginning of the article… while these characters are the ones we cheer on in movies, real life often doesn’t match that idealistic model. In real life, we know this person is not always on the good guys’ side. And, if we encounter this person in real life, we certainly won’t give us a reason to cheer because now we know how dangerous these different types of man in the middle attacks can be.