The National Security Agency (NSA) published guidelines to chuck older versions of SSL/TLS and switch to the more secure TLS 1.2 or 1.3. The reason? An influx of malware attacks, including the dreaded man in the middle attacks. But what exactly is a man in the middle attack (MitM)? Let’s find out.

According to Edgescan, the most common internal (16.8%) and external (2.72%) vulnerability and exposure (CVE) observed in 2020 was Logjam (CVE-2015-4000). This weakness, discovered by a group of researchers back in 2015, affects cryptosystems using Diffie-Hellman key exchanges of specific key strengths. Its purpose? To carry out cipher downgrades to facilitate man in the middle (MitM) attacks on insecure connections between parties. If none of this means anything to you, don’t worry; we’re going to break it all down for you.

This article will answer several key questions: What is a man in the middle attack? How does a MitM attack work? We’ll also explore a few examples.

What Is a Man in the Middle Attack? An MitM Definition & Explanation

A man in the middle attack (MitM) is a type of cyber attack wherein an attacker intercepts the communications or data transmissions between two parties (such as a web server and user’s browser) in transit. As such, this type of attack is known as an eavesdropping attack, and this type of cyber attack can target website connections, wireless network connections, and other channels

In a traditional man in the middle attack, a cybercriminal positions themselves between the two parties with the goal of intercepting the data in transit to read, steal, or change it without the knowledge of the communicating parties. A man in the middle attack undermines one or both of your assumptions regarding data security and integrity:

  • No one but you and the server you’re connected to can see your data transmissions, and
  • Your data transmissions online are sent and received in an unaltered state.

But MitM attacks aren’t just about eavesdropping. A cybercriminal also can impersonate either or both communicating parties to reap the maximum benefits by gaining unauthorized access to the user’s legitimate account or session. This is easy to do if the two parties don’t have a way to verify each other’s identities. And considering that most devices (including laptops, mobiles, IoT devices, and even tablets) use the internet to communicate and transfer data, a cybercriminal might hijack any of these communication channels to carry out MitM attacks.

A MitM Attack Is Like Someone Picking Up During a Rotary Phone Conversation…

Do you remember the landline phones from years ago? Then you might also remember your mom suddenly picking up the other line while you were on call with one of your friends. She would usually apologize and hang up the phone, but if she continued to listen, she would be able to hear every word you both spoke. A man in the middle attack is very much like this “mom in the middle” scenario: A person places themselves or a device in a position where they can read, record, and alter online communication. The following video explains a classic MitM attack:

Purpose Behind a Man in the Middle Attack

So, what exactly do MitM attacks allow threat actors to do? The purpose is generally to:

  • Steal personal information or login credentials
  • Steal payment-related information (bank account numbers, credit card information, and so on)
  • Alter data transmissions so that neither party is aware of the modified data,
  • Insert malicious software, links, or data into the communication channel.

For example, after intercepting and manipulating data, a cybercriminal can use this information to make money. Or, if they steal login credentials, they can use that information to gain unauthorized access to the victim’s account.

A MitM attack can be a part of a larger cyber attack where cybercriminals collect information by intercepting a target’s data transmissions. They might even direct the target to a phishing website to collect their sensitive data.

After the attacker collects the information, including username, password, credit card details, and bank account details, they can use it during the infiltration stage of an Advanced Persistent Threat (APT) attack.  

Dangers of Man in the Middle Attacks

The damage a MitM attacker can cause reaches far beyond gaining access to your communications. The effects of a MitM attack on a small business can be outright disastrous. Let’s look at some of the worst dangers of a man in the middle attack from the perspective of a small business:

  • Data breaches: A man in the middle attack often results in a breach of customers’ private data, including credit card details. According to the IBM Cost of Data Breach Report 2021, businesses faced an average loss of $18.9 million after a data breach. Of this loss, $10.5 million was due to loss of business. It’s very hard to come back from that kind of loss.
  • Heavy fines: When there is a data breach, the Payment Card Industry Data Security Standard (PCI DSS) might slap fines on the business. IBM reported that companies that suffered data breaches paid out an average of $5 million in compliance-related costs (penalties, fines, lawsuits, etc.). A business might have to follow other regulations like GDPR or CCPA if it falls under their purview. In case of a breach, the business would also be liable to pay the fines applicable under these regulations.
  • Reputational harm and losses: A man in the middle attack can cause enormous damage to the reputation of a business. According to a study by PWC, 31% of consumers surveyed would switch to another business if a company they used suffered a data breach.

With all of this in mind, let’s answer the question: “how does a man in the middle attack work?”

How Do Man in the Middle Attacks Work?

In a man in the middle attack, an attacker insinuates themselves at different points in the chain of communication between the server and the client. For example, this could be placing themselves between a user’s browser and the website server they’re connecting to or between a network user and a web application.

The attack itself gets carried out in two steps: interception, followed by attack on the data’s encryption protections. A cybercriminal might be able to intercept all the data transferred between the client and the server, but only when they can break the encryption barrier can they actually use the data.

To understand how many in the middle attacks work, you should have at least a basic understanding of how data transfers between nodes on the internet. Why? Because a MitM attacker can garget any TCP/IP port. Now, we’re not going to go into all of those technical details here — so, here’s a resource you can check out to learn more about what transmission control protocols/internet protocols (TCP/IP) are so you have a better understanding of what they do.

The takeaway here is that although these protocols are designed to support endpoint authentication and other security measures to keep out attackers, cybercriminals have developed techniques to neutralize these checks and launch MitM attacks. Let’s look at some of these techniques to understand man in the middle attacks better.

Man in the Middle Attack Techniques

A cybercriminal can employ different techniques to carry out MitM attacks, which form two steps – interception of data and attacking any encryption that’s in use. 

Step One: Intercept the Data in Transit

Interception of data is primarily an attack on confidentiality. A MitM attack can allow the attacker to access the data in motion, and many attacks are not detected until it is far too late. The bad guys can record communication and gather information for a long time before the attack morphs into a full-fledged cyber attack.

There are two main methods to intercept data:­

  1. Intercept the data close to the two communicating nodes: Intercepting data on the communicating nodes can be achieved by installing malicious software on the communicating devices. An attacker can install malicious software without the victim’s knowledge using phishing emails or by luring the victim to use seemingly harmless devices with malicious software installed. You should remember that the criminals can install malware on either of the communicating nodes, server, or client if they have the right access.
  • Divert the whole communication through a node controlled by the attacker: The second method used to intercept data is redirecting all the traffic to a node controlled by the bad guys, without the server or client becoming aware. They would think that they are communicating with a legitimate party privately.

This redirection of data can be achieved through one of several techniques, including:

MitM Attack Technique 1: IP Spoofing

IP spoofing involves tweaking the IP headers to redirect traffic to a node of the attacker’s choosing. 

Internet Protocol (IP) is the set of rules for the system that allows you to transmit data via the internet. Every device has its own IP address — a string of characters or numbers that uniquely identifies each machine — to identify it online. The data is transferred on the internet in data packets. By altering the IP headers of the data packets (i.e., spoofing), an attacker can misdirect website visitors to malicious websites controlled by them.

MitM Attack Technique 2: ARP Spoofing

An address resolution protocol (ARP) spoofing attack is one that focuses on intercepting communications between devices on a network. In basic terms, this attack is carried out by diverting traffic from a legitimate device to one controlled by the attacker. This is done by linking its media access control (MAC) address to the victim’s IP address. This tricks both legitimate devices into communicating through the imposter device rather than directly with each other — and they don’t know it.

MitM Attack Technique 3: Automatic Proxy Discovery

Web proxy auto discovery (WPAD) is a process by which the system identifies the web proxy server and sends requests on behalf of the client. WPAD is primarily used in organizations with high security requirements, but it can be weaponized for intercepting client communications in local area networks (LANs). The attacker might sniff or inject traffic when it transfers through the proxy by altering the proxy auto-config (PAC) file.

MitM Attack Technique 4: DNS Spoofing

Domain name system (DNS) spoofing is a technique attackers use to divert users to fake websites. They do this by altering the DNS address records of a website on the DNS server.

DNS records provide all the information about a domain, including the IP address associated with that domain. These records are stored on the DNS servers and direct requests sent to the related domain to the correct address. A criminal can penetrate the server and alter these records to direct all the requests to a malicious site instead of the intended one.

MitM Attack Technique 5. BGP Misdirection

The border gateway protocol (BGP) is the routing protocol for the internet. It provides direction to traffic transmitted on the internet. The BGP recognizes the IP addresses, loads them, and finds them by looking into the DNS records of a website. BGP misdirection is an attack where a criminal redirects internet traffic by spoofing the IP prefixes.

To carry out this type of MitM attack, a criminal can redirect the traffic to a node under their control. BGP misdirection attacks take place on a massive scale, affecting huge numbers of devices at once.

Step Two: Attack the Data Security Measures (Encryption)

A popular technique to prevent man in the middle attacks is to encrypt communication with TLS. If cybercriminals do manage to intercept the encrypted data, they won’t be able to decrypt it without having the necessary decryption key on hand. Unfortunately, it is possible to alter or bypass the encryption protocol so that the attackers can read the stolen information.

The most common methods used to attack encryption are as follows:

MitM Attack Technique 6: HTTPS Spoofing

On the web, data is transferred securely between client and server using an application-level protocol called hypertext transfer protocol secure (HTTPS). The “S” represents a secure transfer of data using strong TLS encryption, but unfortunately bad guys can use their expertise to spoof the HTTPS protocol and hack into victim’s systems.

Hackers create a fake website that masquerades as a legitimate one and register a similar domain name. They then buy an SSL certificate under this spoofed domain name. Then a link containing the URL of the fake website is sent to the victim, luring them to click on it. The victim clicks on the link and finds a secured website with a legit SSL certificate. Bingo! The attacker successfully gets into the victim’s system.

Experts sometimes go back and forth regarding the categorization of this type of attack — it’s sometimes viewed as a type of phishing attack rather than a MitM attack.

MitM Attack Technique 7: SSL Hijacking

A man in the middle attack that involves replacing the user’s legitimate session key with a fake one during the TCP handshake is called SSL hijacking.

A cybercriminal intercepts the conversation between the user and the website during the TCP handshake and sends phony encryption keys to both parties. The user and the website are unaware of the hijack and carry on communicating normally. The attacker can then access and control the communication to suit their needs.                           

MitM Attack Technique 8: SSL Stripping

This type of man in the middle attack, known as an SSL stripping or downgrade attack, involves a cybercriminal downgrading the encryption protocol used by the website from HTTPS to HTTP. This allows the attacker to exploit vulnerabilities in earlier versions of the SSL/TLS protocols.

Image caption: A picture depicting a cybercriminal downgrading the security protocol of a fictional website,

What this does is ensure that the user only loads the unencrypted version of the website while the criminal logs in as the user on the actual encrypted site. The attacker will be able to see, store, and alter the user’s session by SSL stripping because they sit in the middle of the connection and can access everything.

A Real-World Example of a Man in the Middle Attack

In early 2020, Checkpoint researchers discovered that a new variant of Cerberus malware was targeting a multinational corporation by creeping into the company’s mobile device manager (MDM) server. Three-quarters (75%) of the corporation’s devices were affected by the malware. Once installed, this malware was programmed to perform many malicious tasks, including collecting and transmitting data and taking control of the devices.

The following figure is a visual representation of the MitM attack:

An example of a man in the middle attack targeting an MDM server.
A depiction of a MitM attack targeting a MDM server.

Because the victims had accessed their company devices via their mobiles using their legitimate credentials, the attackers were able to collect these credentials and gain access to the company devices. All the devices related to the corporation had to be reset to factory settings to remove the malware, resulting in huge losses.

This example using a company’s MDM highlights how alarming the situation can be. The MDM intended to secure the corporation was used to penetrate the company networks, resulting in a mass MitM attack.

How to Prevent a Man in the Middle Attack

Cybercriminals might place themselves at any of the junctures along the communication chain to intercept the conversation; that’s how a man in the middle attack works. Now, let’s explore some of the ways to prevent man in the middle attacks.

Use SSL/TLS Certificates

As a business owner, if you don’t have an SSL/TLS certificate on your eCommerce site, an attacker might intercept and steal your customers’ private data. A valid SSL/TLS certificate ensures that even if a criminal finds a way to intercept the data, they will only see gibberish instead of meaningful information. This is because using an SSL/TLS certificate enables:

  • Your server to authenticate (prove its identity) to the user’s client so the client knows it’s talking to the legitimate server, and
  • Both parties to communicate securely, encrypting data in transit using the secure HTTPS protocol so the communications can be read by the legitimate parties.

Here’s a quick overview of what a secure SSL/TLS connection looks like in comparison to an insecure HTTP connection:

A basic diagram showing the difference between different types of connections (HTTP vs HTTPS) in a secure channel versus a man in the middle attack
A visual representation of a man in the middle attack and the difference between a secure (HTTPS) and insecure (HTTP) risky connection

Detecting man in the middle attacks is difficult, and the methods vary depending on the type of attack. Thankfully, there are other measures you can implement to protect yourself from man in the middle attacks:

Secure Your Network

  • Use a VPN for your online traffic
  • Introduce multi-factor authentication for your network
  • Secure your Wi-Fi with a strong password
  • Use separate Wi-Fi for guests
  • Use authentic software from well-known developers and keep it up to date

Train Your Employees

  • Use multi-factor authentication for online accounts and encourage your employees to do the same
  • Use healthy password policies requiring long and unique passwords for all accounts
  • Use zero-trust networking principles to limit access to sensitive data
  • Discourage your employees from using non-HTTPS websites

Use Security Measures

  • Install an intrusion detection system (IDS)
  • Audit your systems regularly
  • Limit the number of login attempts for all users

Final Words on Man in the Middle Attacks

A man in the middle attack is when a cybercriminal places themselves between two communicating parties on the web. Depending on where the bad guys place themselves, the techniques involved can vary. Of course, this means that the methods of man in the middle attack prevention vary as well based on the method of attack used.

We can never achieve 100% security in our organizations, but when we know more about what we’re dealing with, it becomes easier to tackle cybersecurity problems. In the next related articles in this series, we’ll look at the different types of man in the middle attacks as well as several man in the middle attack prevention methods.


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.