What is a man-in-the-middle attack?

Features
By
Contributions from
published

A man in the middle cyber attack can be tricky to spot. Here's how to stay safe!

Hacker in hoodie
(Image credit: Shutterstock)
Jump to:

If you've seen any classic hacker movies, you may be familiar with the concept of the bad guys (or even the good guys!) hacking into their adversary's communications to monitor their goings-on and even putting out incorrect information into these communications.

While many things are just the result of movie magic, these hacking attacks are actually not the stuff of fiction. They're very real, and they're called man-in-the-middle attacks. 

Essentially, a man-in-the-middle (MitM) attack is one where an attacker positions themselves between two communicating parties to intercept and/or alter data traveling between them. In doing so, they can impersonate one of the parties to convince the other they are having an authentic interaction, or steal data. 

In this article, we'll be exploring MitM attacks from how they work to how you can protect yourself from them. 

A stock image of a hacker using a computer to infect a server with a virus

(Image credit: Getty Images)

What is a man-in-the-middle attack?

Also referred to as "on-path" attacks, a man-in-the-middle cyber attack is a general term for when a malicious actor (often a hacker or criminal) positions themselves in the middle of an online conversation or data exchange between two parties. Typical examples include conversations between a client and a server, or between a user and an application. 

For instance, imagine if your mailman were to open your bank statement, write down the details of your account, and then re-seal the envelope and deliver it to your door as if nothing happened. Kinda scary, right? This is pretty much what happens during an MitM attack.

The hacker's goal can be to merely eavesdrop on the exchange, steal personal information (such as credit card numbers, account details, or login credentials), or outright impersonate one of the parties involved. Therefore, the targets of man-in-the-middle attacks are typically the users of e-commerce sites, SaaS businesses, financial applications, and other websites that require logging in.

There are countless other uses for the information obtained during these attacks. Examples include an illicit password change (goodbye, Netflix account!), unapproved fund transfers, or (the scariest one in my book) – identity theft. Regardless, in all cases, the malicious actor makes it appear as if a normal exchange of information is underway, so as not to arouse suspicion.

man sat at darkened desk working on laptop and desktop

(Image credit: Shutterstock)

What is an example of a man-in-the-middle attack?

Although I'm sure you realize the importance of continuously improving your online security, here are two real-world examples of man-in-the-middle cyber attacks that occurred just three years apart. 

The first one took place in 2014, when Lenovo machines were distributed to customers with adware installed. Specifically, the adware in question was Superfish Visual Search adware, which enabled attackers to create and deploy ads on encrypted web pages, and alter Secure Sockets Layer (SSL) certificates to add their own (SSL – the standard technology for securing an internet connection by encrypting data sent between a website and a browser, or between two servers).

As a result, this man-in-the-middle attack made it possible for hackers to view the login data and web activity of anyone browsing on Internet Explorer or Chrome. Luckily, just a few days after discovering the vulnerability, security software vendors like McAfee and Microsoft coordinated directly with Lenovo to create and roll out software updates to remove Superfish adware.

The second incident occurred in 2017, when a confirmed data breach (caused by website spoofing – a general term for online scammers disguising their identity for malicious purposes) at the American credit bureau company, Equifax, exposed more than 143 million Americans. 

Specifically, Equifax' official website used a shared SSL for hosting at the time, with countless other websites using that same certificate. Attackers exploited this by using fake websites to inflict SSL and DNS spoofing, and intercept data from the site or redirect users to a phony website. 

Upon discovering the hack, the company set up equifaxsecurity2017.com, a website that enabled users to see whether they were impacted by the breach. Overall, the Equifax man-in-the-middle cyber attack put 2.5 million customers at risk, skyrocketing the total number of those affected by it to a whopping 145.5 million users.

How can I tell if I'm being targeted by a man-in-the-middle attack?

The main reason why it's hard to detect you're being targeted by an MitM attack is that these attacks are specifically designed to not make you suspicious. If you're thinking, "well, how am I supposed to discover them then?," there's good news. Below, I offer you several red flags that, if spotted, could mean that you're currently being targeted: 

  • Frequent, random disconnections. While this can be symptomatic of many different problems—including trouble on the part of your internet provider, or simply misconfigured network settings—it can also be a sign of a man-in-the-middle attack. How can you be sure? I'd say it's worth considering you're under an MitM attack if you're experiencing this issue and you've already ruled out all other possible causes. 
  • Phony websites. To make MitM attacks appear legitimate, cybercriminals go to great lengths to create fake websites, all the while counting on your carelessness. However, there are usually subtle differences in logos, colors, or fonts. Check the website's URL carefully if something doesn't look quite right. For instance, look for https:// (genuine) vs. http:// (fake), or website.com (genuine) vs. websites.com (usually fake) etc. 
  • Very slow loading times for websites or apps. Again, using common sense is your best friend anytime you're online. If you know for a fact there are no issues with your internet provider's speed or other connection irregularities, and the site or app you've previously visited countless times is taking forever to load—you may want to consider you're the target of a man-in-the-middle attack. After all, better safe than sorry. 

A hand typing at a computer in a dark room, lit up by the laptop's keyboard LEDs and red LED light

(Image credit: Getty Images)

How can I protect myself from a man-in-the-middle attack?

Protecting yourself against MitM attacks begins—like most things in life—with awareness. To that end, always keep your wits about you and remember that man-in-the-middle attacks can occur through a number of ways:

  • Phishing attacks 
  • Hacking into unprotected routers 
  • Hijacking web servers 
  • Hijacking into public networks 

Now that you know how most MitM attacks tend to manifest themselves, here's how you can improve your chances of staying safe from them online: 

  • Phishing attacks. Phishing is the practice of stealing personal information, such as usernames, email addresses and passwords, across any type of online activity. Between the various types of these scams in existence, such as spear phishing, SMS text-message phishing ("smishing"), and voice phishing ("vishing"), your safest bet is to stay vigilant and never give away any information online. Because I'm limited by space (and time, lol), and due to my aforementioned professional deformation of ranting endlessly about topics I'm passionate about, you can learn more about these types of attacks in our What are phishing scams and how to avoid them deep-dive. 
  • Hijacking into unprotected routers. Unfortunately, most of the network gateways and Wi-Fi routers used by home customers are improperly secured, and therefore, typically not safe enough. To battle this, you can try an array of strategies. For example, ensure the router and cable modem are not a single device, change the administrative credentials from the default username and password, set your router to use the 5-GHz band for Wi-Fi, or disable HNAP, UPnP, SSH, Telnet and PING (if possible). Here's an in-depth look at how to fix your router's security
  • Hijacking web servers. Web servers are computers that run an operating system, and are connected to a database to run multiple applications. Their primary responsibility is to show website content by storing, processing, and distributing web pages to users. Any attempt to undermine the security of a web-based application by a malicious actor is called a web server attack. Staying safe from this type of MitM attacks is typically best done by keeping your operating system updated, not connecting to public Wi-Fi networks, using the latest version of an anti-virus program, and backing up your data.
  • Hacking into public networks. Connecting to unsecured public networks means your data becomes vulnerable to snoopers and cybercriminals who exploit these networks' typically lax security. Essentially, using a VPN is non-negotiable in this day and age to encrypt your security connection and shield your data from potential eavesdroppers and attackers. Here's a detailed rundown of why you need to use a VPN on public Wi-Fi
Aleksandar Stevanović
Freelance Writer
With contributions from