What is a Man-in-the-Middle Attack and How Can You Prevent It?

 

In 2015, a cyber-criminal group in Belgium stole a total of €6 million by hacking through middle-sized and large European companies. The hackers were able to gain access of corporate email accounts and request money from clients using the hacked accounts. According to Europol’s official press release, the modus operandi of the group involved the use of malware and social engineering techniques. Once they found their way in, they carefully monitored communications to detect and take over payment requests. This impressive display of hacking prowess is a prime example of a man-in-the-middle attack. The thing is, your company could easily be any of those affected European companies.

What is a Man-in-the-Middle (MITM) attack?

A MITM attack happens when a communication between two systems is intercepted by an outside entity. This can happen in any form of online communication, such as email, social media, web surfing, etc. Not only are they trying to eavesdrop on your private conversations, they can also target all the information inside your devices.

Taking away all the technicalities, the concept of an MITM attack can be described in a simple scenario. Imagine being brought back to the days of old when snail mail was rife. Jerry writes a letter to Jackie expressing his love for her after years of hiding his feelings. He sends the letter to the post office and it’s picked up by a nosy mailman. He opened it and, just for the hell of it, he decided to rewrite the letter before delivering the mail to Jackie. This results in Jackie hating Jerry for the rest of her life after “Jerry” called her a fat cow. The moral of the story is the mailman is a jerk, and so are hackers.

A more modern example would be a hacker sitting between you (and your browser) and the website you’re visiting to intercept and capture any data you submit to the site, such as login credentials or financial information.

How Does a Man-in-the-Middle Attack Work?

Over the years, hackers found various ways to execute MITM attacks and believe it or not, it has become relatively cheap to buy a hacking tool online, just proving how easy hacking someone can be if you have enough money. Here are some common types of MITM attacks your business will most likely encounter:

Email Hijacking

Similar from the case above, hackers who use this tactic target email accounts of large organizations, especially financial institutions and banks. Once they gain access to important email accounts, they will monitor the transactions to make their eventual attack a lot more convincing. For example, they can wait for a scenario where the customer will be sending money and respond, spoofing the company’s email address, with their own bank details instead of the company’s. This way, the customer thinks they’re sending their payment to the company, but they’re really sending it right to the hacker.

It’s not just large companies that can fall victim to this type of attack. A similar situation happened to London’s Paul Lupton. After selling his home, he emailed his bank account details to his solicitor to collect the over £333,000 proceeds, unaware that hackers had accessed his email and were monitoring communications. Seeing a golden opportunity, the hackers quickly sent another email to the solicitor under Lupton’s name saying to disregard the previous email and send to another (hacker-owned) account instead. The transfer went through to the hacker’s account, but fortunately Lupton quickly realized what happened and was able to recover the majority of funds. Unfortunately, most of these attacks don’t have such happy endings.

Wi-Fi Eavesdropping

Most MITM attacks thrive on Wi-Fi connections. In one approach, hackers will set up a Wi-Fi connection with a legitimate-sounding name. All the hacker has to do is wait for you to connect and he’ll instantly have access to your device. Alternatively, the hacker can create a fake Wi-Fi node disguised as a legitimate Wi-Fi access point to steal the personal information of everyone who connects.

Session Hijacking

Once you log into a website, a connection between your computer and the website is established. Hackers can hijack your session with the website through numerous means. One popular option they use is stealing your browser cookies. In case you don’t know, cookies store small pieces of information that makes web browsing convenient for you. It can be your online activity, login credentials, pre-fill forms, and in some cases, your location. If they got hold of your login cookies, they can easily log into your accounts and assume your identity.

How Can You Protect Your Networks from These Attacks?

MITM attacks can really overwhelm you just by hearing its basic concept, but that doesn’t mean they are impossible to avoid. PKI technology can help protect you from some of the types of attacks we discussed above.

S/MIME

Secure/Multipurpose Internet Mail Extensions, or S/MIME for short, encrypts your emails at rest or in transit, ensuring only intended recipients can read them and leaving no spaces for hackers to slip their way in and alter your messages.

Additionally, S/MIME lets you digitally sign your email with a Digital Certificate unique to every person. This ties your virtual identity to your email and gives your recipients the assurance that the email they received actually came from you (as opposed to a hacker who access your mail server). You can see how this could have been helpful in the Europol example discussed earlier. While the hackers had access to the companies’ mail servers, in order to digitally sign the messages, they would have also needed access to employee private keys, which are generally securely stored elsewhere. Standardizing on digitally signing messages and educating recipients to only trust messages from your company that have been signed can help differentiate legitimate emails from those that have been spoofed.

Authentication Certificates

Hackers will never go away, but one thing you can do is make it virtually impossible to penetrate your systems (e.g. Wi-Fi networks, email systems, internal networks) by implementing Certificate-Based Authentication for all employee machines and devices. This means only endpoints with properly configured certificates can access your systems and networks. Certificates are user-friendly (there is no additional hardware to manage or much user training needed) and deployments can be automated to make things simple for IT and make them hackers split their hair, as the cool kids would say.

What Is HTTP Interception?

HTTP is the most common internet protocol. Most of the things we do online are implemented on HTTP, from the usual web browsing to instant messaging. Unfortunately, HTTP communications are unprotected and relatively easy to intercept, making them a prime target for MITM attacks. As mentioned earlier, hackers can sit between end users and the website they’re connected to and eavesdrop on their communications, including any information they submit to the website, without them having any idea.

How Do You Prevent HTTP Interception?

SSL/TLS Certificates

If your website still uses the more vulnerable HTTP protocol, it’s time to upgrade to the safer HTTPS protocol through SSL/TLS Certificates. A TLS Certificate will activate the HTTPS protocol, which is the safer version of HTTP. This allows an encrypted, secure connection between your server and your clients’ computers, keeping all information from prying hackers.

TLS Certificates can also bind together your domain name and your organizational identity if you get an Organization Validated (OV) or Extended Validation (EV) level certificate. EV Certificates bring your identity information front and center by displaying your organization name right in the URL bar. This can boost trust among your visitors that your site is legitimately operated by your company and not an imposter site.

System and Server Configurations

Don’t sit on your laurels just yet. Once TLS is up and running, you need to do some configuring. Make sure your website doesn’t have any mixed content or any page element loading over an HTTP protocol (e.g. photos, scripts, widgets) to avoid leaving a backdoor for aspiring hackers. It’s also good practice to make sure any links you are pulling in from other sites are via HTTPS. Make sure your login forms are HTTPS-protected to avoid credential hijacking. Mozilla is already doing a great job preventing users from filling up forms under HTTP protocols by “unsecure connection” warning prompts and a slashed padlock icon. Make sure all hyperlinks contained in your website all use the HTTPS protocol.

It’s also important to make sure you have your server configured correctly (e.g. using the current best practices for protocols, algorithms, etc.). For example, you should make sure you have SSL2, SSL3, and TLS1 protocols disabled; only TLS 1.1 and 1.2 should be enabled. There are many other configuration items to consider and recommended best practices are continually changing as new vulnerabilities are discovered. GlobalSign’s SSL Server Test is an easy-to-use and thorough tool for making sure your server is properly configured.

HSTS over HTTPS

As discussed above, hackers have found ways to get around TLS. For example, even if you request an HTTPS connection (e.g. you type in https://www.example.com), they can change the request to HTTP so you go to http://www.example.com, preventing the encrypted connection. Implementing HTTP Strict Transport Security or HSTS can help prevent this type of attack. This web server directive forces any web browser or app to connect to HTTPS and block any content that uses HTTP as its protocol. HSTS will also prevent hackers from extracting information from your browser cookies, effectively defending your website from session hijackers.

Loading