What Is A Man-In-The-Middle Attack? Don't Be a Victim of High-Tech Eavesdropping

What Is A Man-In-The-Middle Attack? Don't Be a Victim of High-Tech Eavesdropping
Graphic: Nathaniel Blum

What Is A Man-In-The-Middle Attack? Don't Be a Victim of High-Tech Eavesdropping

Jackie Lam
Updated February 28, 2020

Whether you’re sending data on your computer or talking to someone online, you’d want to assume some level of security and privacy.

But what if a third party is eavesdropping online, unbeknownst to you? And worse, what if they’re impersonating someone from a business you trust to gain damaging information? In turn, your personal data could be put in the hands of dangerous, would-be thieves.

Welcome to what’s called a man-in-the-middle attack (aka MITM attack).

What are man-in-the-middle attacks?

A man-in-the-middle attack occurs when a cybercriminal inserts themselves into communications between you, the targeted victim and a device to steal sensitive information that can be used for a variety of criminal purposes—most notably identity theft, said Steve J. J. Weisman, founder of Scamicide.

“A man-in-the-middle-attack can also occur when the victim believes he or she is communicating with a legitimate app or website,” said Weisman, “when the truth is that the victim is communicating with a phony website or app and thereby providing sensitive information to the criminal.”

One of the oldest forms of cyberattacks, MITM attacks have been around since the 1980s. What’s more, they’re quite common.
As Weisman explains, there are a handful of ways a MITM attack can happen:

  • Attacking a Wi-Fi router that is not properly secured: This typically occurs when someone is using public Wi-Fi. “While home routers might be vulnerable, it’s more common for criminals to attack public Wi-Fi networks,” said Weisman. The goal is to spy on unsuspecting people who are handling sensitive information, such as their online bank accounts, he added.
  • Hacking email accounts of banks, financial advisers and other companies: “Once [the criminals] have hacked these email systems, they send out emails that appear to come from the legitimate bank or other company,” Weisman said. “[They ask] for personal information, such as usernames and passwords, under the guise of an emergency. The targeted victim is lured into providing that information.”
  • Sending phishing emails: Thieves might also send emails pretending to be legitimate companies that the targeted victim does business with. They’ll ask them for their personal information. “In many instances, the spear-phishing emails will direct the victim to a counterfeit website that appears to be that of a legitimate company with which the victim does business,” said Weisman.
  • Using malicious code in legitimate websites: Attackers can also place malicious code—usually JavaScript—into a legitimate website by way of a web application. “When the victim loads the legitimate page, the malicious code just sits in the background until the user enters sensitive information, such as account login or credit card details, which the malicious code then copies and sends to the attackers’ servers,” said Nicholas McBride, a cybersecurity consultant.

What is an example of an MITM attack?

A well-known example of an MITM attack was the Lenovo case. In 2014 and 2015, the major computer manufacturer sold consumer laptops with preinstalled software that meddled with how a user’s browser communicated with websites. Whenever the user’s cursor hovered over a product, this software, called VisualDiscovery, sent pop-up ads from retail partners that sold similar products.

Here’s the kicker: This MITM attack allowed VisualDiscovery to access all of the user’s personal data, including Social Security numbers, info about financial transactions, medical info, and logins and passwords. All without the user knowing or granting permission beforehand. The FTC deemed this a deceptive and unfair online scam. Lenovo agreed to pay $8.3 million in a class action settlement in 2019.

How can I protect myself from an online attack?

Avoiding using public Wi-Fi. Weisman recommends never using public Wi-Fi for financial transactions unless you’ve installed a virtual private network (VPN) on your device. That way, your communications will be encrypted and your info won’t be stolen.

Be on the lookout. You’ll want to be especially wary of emails or text messages that ask you to update your password or provide your username or personal information. These methods can be used to steal your identity, said Weisman.

Unsure of the actual identity of the party sending you that email? You can use tools such as a reverse phone or email search. With a reverse phone number lookup, you can potentially find out more about the identity of an unknown texter. And with a reverse email lookup, you can try to gauge who might have sent you that email.

Install reliable security software. Make sure all your devices have good security software, recommends Weisman. What’s more, keep the software up to date with the latest security patches. (Want to learn more? Check the best malware protection apps for 2020.)

Take alerts seriously. If you’re visiting a site that starts with “https,” your browser might alert you to an issue, said McBride. For instance, the domain name on the site’s certificate doesn’t match the one you’re trying to visit. Don’t ignore the alert—heed it.

Use an ad blocker. As pop-up ads (aka adware attacks) can be used to intercept your personal information, use an ad blocker. “The truth is, as an individual user, it’s hard to protect against a MITM attack,” said McBride, “as it is designed to leave the victim in the dark and to prevent them from noticing that there is anything wrong.”

While MITM attacks are quite common and can happen to anyone, understanding what they are, knowing how they happen and actively taking steps to prevent them can safeguard you from being a victim.

This article is licensed under a Creative Commons Attribution-ShareAlike 2.0 Generic (CC BY-SA 2.0) License.

Disclaimer: The above is solely intended for informational purposes and in no way constitutes legal advice or specific recommendations.