The criminals used malware and social engineering to access corporate email accounts and, according to the Europol press release, “monitored communications to detect payment requests.” The investigation found that the victims had been defrauded for almost $7 million dollars. Man-in-the-middle attacks are some of the most common and dangerous breaches. The worst part – you won’t even know your traffic is being intercepted unless the attacker does something to give him or herself away.
But what is a man-in-the-middle attack, how can you detect and prevent your company from being victimized, and – if hacked – how can you mitigate the damages?
A man-in-the-middle attack occurs when an intruder inserts him or herself between two parties, impersonating at least one, and passing information back and forth, gaining access to data, money, or other sensitive information. The attacker will act as the intermediary for systems and gateways and the attacks can occur over wireless or wired systems (intranets are particularly vulnerable).
A man-in-the-middle attack is a form of eavesdropping, where the attacker impersonates both victims in order to gain access to the “conversation,” which may simply be data or confidential information. The victims of a man-in-the-middle attack do not realize they aren’t actually communicating with the 2nd-party, but instead with the malevolent and passive 3rd.
A common form of these attacks occur via unsecured wireless connections or vulnerable servers where data can be intercepted without mutual authentication. Many security protocols involve endpoint authentications such as security certificates to thwart man-in-the-middle attacks.
How to Detect a Man-in-the-Middle Attack
Detecting these attacks can be extremely difficult, especially if the attacker has the expertise to mimic both parties’ security safeguards. Commonly malware will provide an entry to a victim’s browser so that data can be intercepted. With control over a victim’s browser, the attacker can create fake sites that mirror the looks of legitimate banking or retail pages so that sensitive user credentials and information can be stolen.
Perpetrators often use sophisticated man-in-the-middle attack tools, especially in intranet environments with arp spoof capabilities (when an attacker sends false Address Resolution Protocol messages to link their MAC address with a legitimate IP address on the network), so that communications between hosts can be intercepted. Other man-in-the-middle attack tools include:
Cain e Abel
Another vulnerability occurs via unsecure tags for marketing and analytics. Though many site administrators and marketers use tag managers for the deployment of tags, without proper monitoring these 3rd-party tags can add tags of their own that might not be secure. Though most sites are served over HTTPS and are considered secure against sniffers and man-in-the-middle attacks, when these sites have unsecure tags added via these redirects (or piggybacks) – triggering a mixed-content warning – the unencrypted content is vulnerable to malicious actors.
While there are intrusion detection systems, often the best defense against these attacks is to not allow them to occur in the first place.
How to Mitigate a Man-in-the-Middle Attack
Other than avoiding public networks for the transmission of sensitive or confidential data there are several strategies that can be deployed. As mentioned previously, intrusion detection systems (IDS) will monitor network transmissions and provide alerts should a breach occur. However, because of the sophistication of many IT teams there are often false positives, which sometimes leads to these systems being under utilized.
Similarly, there are tools to prevent man-in-the-middle attacks such as advanced address resolution protocols (like XARP and ARPOn). Additionally, one can implement dynamic host configuration protocol (DHCP), which aims to prevent ARP spoofing.
One of the more effective ways to mitigate a man-in-the-middle attack is the use of VPNs (virtual private networks), which create secure and encrypted tunnels for accessing organizational networks over wireless networks.
These strategies are, of course, in addition to good website data governance policies, active tag monitoring, and process auditing.