J003-Content-Who-is-man-in-the-middle_SQMan-in-the-middle (MITM) attacks are everywhere. If you’re a security professional you’re surely very well acquainted with Mr. man-in-the-middle and if you’re just starting out in the security world, this won’t be the last time you hear of man-in-the-middle attacks. So without further ado, let’s explore what a man-in-the-middle attack is all about.

Who is this man-in-the-middle?

For the most part, the internet works on a client/server architecture. This means users generally connect to a central server(s) and retrieve whatever information is needed through that connection. It is easy to think of this scenario as a direct one to one connection but, in reality, it is a lot more complicated.

When you connect to a website, your request and the information you receive back is not transmitted as a whole and is instead split into little packages called packets. These packets are sent from machine to machine until they reach their intended destination and each step towards a destination is called a hop. These machines are routers, gateways and bridges and a man-in-the-middle can reside between any of these locations including the client or the actual server the client is trying to reach.

A man-in-the-middle refers to a piece of software that sits anywhere between the victim and their intended destination. This software can spy on the communication and in some cases even modify it.

Why is this dangerous?

If a piece of malicious software is properly ingrained between the client and the server, the possibilities for an attacker are endless. Web browser developers know about the dangers of MITM attacks and when building a browser certain safe measures are put into place to make MITM attacks ineffective. Encryption systems are the best defense but with attackers getting craftier and more dangerous by the day it is possible that malicious man-in-the-middle software can beat these security schemes.

How is a MITM attack executed?

This defense system is based on digital certificates. When a secure site is visited, a public version of its certificate is sent to the browser which then confirms its authenticity thanks to the help of trusted certificate authorities. Certificate authorities are trustworthy entities that confirm a certificate confirming the target is authentic and thus can be trusted.

Any other traffic sent in between the client and the server is then encrypted so that only the client and the server can “understand” what is being sent. If someone inserts themselves in between the client and the server the certificate sent by the target site would not apply to them and the browser would generate an error and display a warning pointing to a possible MITM attack.

This might seem bulletproof but specifically crafted malware can insert its own malicious certificate authority in a browser’s trusted list. For this to happen malware needs to be running on the client side and not on any of the points in between the client and the server. The MITM malware would be able to connect to the real destination as if it was the client, and then connect to the client pretending it is the real destination by creating a fake certificate – a certificate the fake authority created by the malware in the browser would authenticate as genuine. The malware at this point would have total control. It can also decrypt and encrypt communications in between itself and the client as well as the server and not only can it see all data sent out but it is also free to change it and make the client believe the data was sent unchanged from the real intended destination.

What are the repercussions?

An attacker is now able to spy on all the information being sent: from credentials to private conversations but the attacker will also have the ability to manipulate the data, which in turn can have dire consequences.

A user within an organization has been the victim of a MITM attack and is about to transfer money through an internet banking system. In this situation, the malware installed on the user’s end is specifically designed to hijack banking transaction. The user types in the target bank account number and the amount to be paid and initiates the transaction. The web browser at this point sends the data over to the bank but before it reaches the bank it has to go through the malware which is intercepting each packet looking specifically for bank transfers.

This packet is exactly what the malware is looking for and before forwarding the packet it does a few little changes. It takes note of the bank account number the user wanted to transfer money to, replaces it with its own bank account number and then forwards the packet over. The bank receives it and processes the transaction, transferring the money not to the intended recipient but to the attacker’s designated bank account.

The bank will then send a packet back with the transaction information. The malware will then proceed to mask the transaction information with the data inputted originally by the user. There will be nothing abnormal from the user’s perspective prompting remedial action giving the attacker time. Red flags will only be seen when the organization or person the money was meant for enquires about it and even then it will take a few more days if not weeks for the issue to be investigated. By then the money will be gone together with all the monies from other transactions done in the interim.

What can organizations do?

This scenario is just one possibility and there are many other types of MITM attacks. Organizations need to recognize the dangers protect themselves. This can be done by following the anti-malware techniques and precautions, making sure nothing unauthorized is ever installed on the system, patching status is up to date, the latest antivirus definitions are running and the various entry points (web, email, endpoints) in an organization are adequately protected.