How common are man-in-the-middle attacks?

“I would say, based on anecdotal reports, that MitM attacks are not incredibly prevalent,” says Alex Hinchliffe, threat intelligence analyst at Unit 42, Palo Alto Networks. “Much of the same objectives — spying on data/communications, redirecting traffic and so on — can be done using malware installed on the victim’s system. If there are simpler ways to perform attacks, the adversary will often take the easy route.”

A notable recent example was a group of Russian GRU agents who tried to hack into the office of the Organisation for the Prohibition of Chemical Weapons (OPCW) at The Hague using a Wi-Fi spoofing device.

Greater adoption of HTTPS and more in-browser warnings have reduced the potential threat of some MitM attacks. In 2017 the Electronic Frontier Foundation (EFF) reported that over half of all internet traffic is now encrypted, with Google now reporting that over 90 percent of traffic in some countries is now encrypted. Major browsers such as Chrome and Firefox will also warn users if they are at risk from MitM attacks. “With the increased adoption of SSL and the introduction of modern browsers, such as Google Chrome, MitM attacks on Public WiFi hotspots have waned in popularity,” says CrowdStrike’s Turedi.

“Today, what is commonly seen is the utilization of MitM principals in highly sophisticated attacks,” Turedi adds. “One example observed recently on open-source reporting was malware targeting a large financial organization’s SWIFT network, in which a MitM technique was utilized to provide a false account balance in an effort to remain undetected as funds were maliciously being siphoned to the cybercriminal’s account.”

The threat still exists, however. For example, the Retefe banking Trojan will reroute traffic from banking domains through servers controlled by the attacker, decrypting and modifying the request before re-encrypting the data and sending it on to the bank. A recently discovered flaw in the TLS protocol – including the newest 1.3 version – enables attackers to break the RSA key exchange and intercept data.