How man-in-the-middle attacks work

MitM attacks are one of the oldest forms of cyber attack. Computer scientists have been looking at ways to prevent threat actors tampering or eavesdropping on communications since the early 1980s

MitM attacks consist of sitting between the connection of two parties and either observing or manipulating traffic. This could be through interfering with legitimate networks or creating fake networks that the attacker controls. Compromised traffic is then stripped of any encryption in order to steal, change or reroute that traffic to the attacker’s destination of choice (such as a phishing log-in site). Because attackers may be silently observing or re-encrypting intercepted traffic to its intended source once recorded or edited, it can be a difficult attack to spot.

“MitM attacks are attacks where the attacker is actually sitting between the victim and a legitimate host the victim is trying to connect to,” says Johannes Ullrich, dean of research at SANS Technology Institute. “So, they’re either passively listening in on the connection or they’re actually intercepting the connection, terminating it and setting up a new connection to the destination.”

MitM encompass a broad range of techniques and potential outcomes, depending on the target and the goal. For example, in SSL stripping, attackers establish an HTTPS connection between themselves and the server, but with an unsecured HTTP connection with the user, which means information is sent in plain text without encryption. Evil Twin attacks mirror legitimate Wi-Fi access points but are entirely controlled by malicious actors, who can now monitor, collect or manipulate all information the user sends.

“These types of attacks can be for espionage or financial gain, or to just be disruptive,” says Turedi. “The damage caused can range from small to huge, depending on the attacker’s goals and ability to cause mischief.”