The term man in the middle (MITM), refers to a cybercriminal attack where a threat operator manages to place themselves within a conversation held between an application and a user. This may be simply to eavesdrop and collect private data or to masquerade as a trusted entity, making it appear as if a safe information exchange is occurring.

What is the purpose of an MITM attack?

The aim of MITM attacks is mainly the theft of personally identifiable information (PII), for example, usernames and passwords, account numbers, or credit card details. Attackers employing MITM tactics usually target those using financial apps, e-commerce websites, and Software as a Service (SaaS) sites, along with other online addresses where login credentials are necessary to gain access.

The PII acquired in a MITM attack can potentially be exploited in several different ways, such as unauthorised transfers of funds, identity theft, or unapproved password alterations. A more serious implication of MITM ploys is that they are often used as a first step by hackers when obtaining a foothold inside a company’s secure defences. In an advanced persistent threat (APT) attack, this is known as the infiltration phase.

Intercepting and decrypting data

The initial step of a MITM attack involves intercepting user traffic via the threat operator’s network prior to it arriving with its intended recipient. The easiest way to accomplish this and the most commonly used is through an attack where a maliciously created Wi-Fi hotspot is made publicly available. After the intended target connects to the malicious hotspot, the MITM attacker can see any data exchanged online. While this is a passive tactic, some threat operators will favour a more active method of interception.

IP spoofing is such an approach and involves a hacker pretending to be an app and altering details in an IP address’ headers. This results in victims who are trying to access a URL connected to the app being redirected to the hacker’s website instead. ARP spoofing is another active method of interception and defines the process of connecting a threat operator’s MAC address with an authentic user’s IP address on a local area network (LAN) utilising bogus ARP messages. In this approach, any data transmitted by a user is sent to the hacker instead of the intended IP address.

After successful interception, the data traffic will need to be efficiently decrypted while at the same time never alerting either the application or its user to such activity. This can be achieved using phony certificates through HTTPS spoofing, SSL hijacking, and browser exploits among other tried and tested methods.

At Galaxkey, we have developed a secure workspace where enterprise personnel can transfer and receive data safely. Featuring premium level encryption for sensitive information, our system also includes robust verification measures to ensure your data is never intercepted whether it is being shared or stored. Contact our team today and test drive our system yourself with a free 14-day trial.