Gone are the days when eavesdropping is just the stuff of spies and the town gossip. In fact, it has evolved to become everyone’s favorite pastime. Thanks to the internet, it is exponentially easier now more than ever to idle by and catch juicy information than to press your ear against your neighbor’s wall.
While we can easily forgive and forget listeners within earshot of our vicinity when we’re having conversations in public, digital eavesdropping, on the other hand, raises the privacy red flag to new heights. And this can quickly be done via taking advantage of two things: one, our penchant for connecting to Wi-Fi networks (whether they’re insecure or not, whether they’re for public use or private use); and two, the exploitation of that Wi-Fi network. Suffice to say, digital eavesdropping isn’t and shouldn’t be considered a pastime, especially if you have the skills and the means to do so.
And when it comes to eavesdropping online, the term that immediately comes to mind is man-in-the-middle, essentially a scenario wherein a third person places themselves in the middle of two parties communicating with each other. A third wheel, so to speak. However, this person or entity is unseen by the two parties. In fact, they don’t even know that they are in the company of a third wheel.
While we know that eavesdropping is generally a passive exercise—Person C takes the role of listener-observer, and not get involved with Person A and Person B while they chat—MitM attacks are anything but. On top of snooping, controlling the conversation is required; thus, contact with the targets is inevitable. This makes a MitM attack an active exercise. And such an interfering activity demands inventiveness, attention, patience, guile, and the willingness to be as deeply involved as needed to attain their goal.
MitM attacks could be aggressive, always surreptitious, and invasive.
MitM attacks involve the unlawful tapping of a network to exploit transactions, conversations, and data transfers on-the-fly. Threat actors can do this by taking advantage of weaknesses of a network or of any of its elements like software (browser, VoIP, etc.).
Many organizations practice what are essentially MitM tactics—whether they claim they know of this or not—so they can monitor their employees. Some do it for advertising purposes, as in the case of Superfish, a piece of software that was pre-installed in Lenovo consumer products.
Governments are also known operators of MitM attacks to proactively spy on their citizens, circumvent security measures of technologies, spy on enemy countries to steal classified information, and steal money from financial institutions based on other countries to fund their projects.
Furthermore, we’ve seen MitM used in large part of the modus operandi of a criminal group to essentially steal from the clients of private European companies they targeted. They did this by infiltrating target networks to gain access to email accounts, monitoring payment requests from these companies, and then—putting themselves in the middle of the email conversation by impersonation—instructing clients to send payments to bank accounts the criminal group controls.
These are just two of the most common types. Others are:
Note that not all the types we mentioned can be done in all kinds of computer networks. For example, ARP poisoning can be done against systems connected via Ethernet in a LAN. However, this cannot be done when attacking remote systems.
There are also different ways a threat actor can perform MitM attacks, such as sniffing, injecting, hijacking, stripping, and filtering.
There is an attack called man-in-the-browser (MitB), which starts when a piece of malware arrives on user systems, runs when the browser runs and then does its magic by modifying banking transactions behind the scenes while maintaining the appearance of legitimacy to the unknowing user. That said, one can deduce that MitB attacks are made for financial fraud.
MitB attacks are particularly dangerous to users and tricky to spot because criminals can siphon off money even though security controls, mechanisms, and encryption are present on the bank website, and the user’s antivirus program is working normally.
Then there’s a type used against mobile devices called man-in-the-mobile (MitMo). This is also known as man-in-the-phone. Like, MitB, this is also malware, and its purpose is to specifically circumvent SMS two-factor authentication. It does this by monitoring incoming messages with transaction authentication numbers (TAN) and other verification codes sent over to users via SMS. Android users are mainly targeted by MitMo malware like SpyEye and ZeuS. CatchApp, an app capable of stealing encrypted chat messages from WhatsApp, is another example of software that can perform MitM attacks on mobile devices.
Still, in the realm of mobiles, we now have the relatively new type called man-in-the-app, wherein an attacker can use a self-signed certificate to communicate directly with a compromised app.
Then we have MitM for the cloud called the Internet of Things, appropriately called man-in-the-cloud and man-in-the-IoT, respectively.
Yes. They’re quite prevalent, actually. Some types of MitM attacks are easy to do, and there are readily available hacking tools a budding threat actor can use to set up an attack. It’s even possible (if not highly likely) for insider threats in a company to conduct such attacks within the organization’s intranet.
Unfortunately, detecting most of the MitM attack types are difficult. Therefore, nipping such attacks in the bud by prevention is still very important. And preventive measures to counter this type of attack also enhance a network’s security and privacy.
The post When three isn’t a crowd: Man-in-the-Middle (MitM) attacks explained appeared first on Malwarebytes Labs.