Man in the middle attack

Sumit Sah
8 min readDec 4, 2020


We’ve become increasingly accustomed to the internet for most of our works. With the rise in the cases of cybercrimes in news headlines, it’s been important and difficult to secure ourselves over the internet. So, this raises the severity of the concern of our privacy and security over the internet. The most common attack being the Man-in-the-Middle (MITM) attack has raised our concern and for our term paper presentation, we’ve done our homework to understand it better. A MITM attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. Depending on the intent of the intrusion, this can range from the innocuous to the devastating act, like identity theft, misguided messages, and such other intended frauds. This type of attack becomes critical when we make use of sensitive information like online banking, transactions, mobile banking, online billing, login credentials, and other personal information that are privately valuable to a specific person, or company, or any other specific organization. So, we need to be aware of the consequences it can have, how it works, how is it implemented and how can we be safe and protect ourselves from such attacks.


A man-in-the-middle attack is a type of cyber attack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other. A man-in-the-middle attack allows a malicious actor to intercept, send and receive data meant for someone else, or not meant to be sent at all, without either outside party knowing until it is too late. A MITM attack exploits the real-time processing of transactions, conversations, or transfer of other data. The objective of an attack is to take individual information, for example, login certifications, account points of interest, and credit card numbers. Targets are normally the clients of financial applications, SaaS businesses, web-based business locales, and other sites where logging in is required. Information obtained during an attack could be utilized for many, purposes, including fraud, unapproved support exchanges, or an unlawful watchword change. Cybercriminals typically execute a man-in-the-middle attack in two phases — interception and decryption. 2 With a traditional MITM attack, the cybercriminal need to gain access to an unsecured or poorly secured Wi-Fi router. These types of connections are generally found in public areas with free Wi-Fi hotspots, and even in some people’s homes, if they haven’t protected their network. Attackers can scan the router looking for specific vulnerabilities such as a weak password. Once attackers find a vulnerable router, they can deploy tools to intercept and read the victim’s transmitted data. The attacker can then also insert their tools between the victim’s computer and the websites the user visits to capture login credentials, banking information, and other personal information. A successful man-in-the-middle attack does not stop at interception. The victim’s encrypted data must then be unencrypted so that the attacker can read and act upon it. In the image below, you will notice that the attacker inserted him/herself in-between the flow of traffic between client and server. Now that the attacker has intruded into the communication between the two endpoints, he/she can inject false information and intercept the data transferred between them.

How do man-in-the-middle attacks work?

MitM attacks are one of the oldest forms of cyber attacks. Computer scientists have been looking at ways to prevent threat actors from tampering or eavesdropping on communications since the early 1980s. MitM attacks consist of sitting between the connection of two parties and either observing or manipulating traffic. This could be through interfering with legitimate networks or creating fake networks that the attacker controls. Compromised traffic is then stripped of any encryption in order to steal, change or reroute that traffic to the attacker’s destination of choice (such as a phishing log-in site). Because attackers may be silently observing or re-encrypting intercepted traffic to its intended source once recorded or edited, it can be a difficult attack to spot. “MitM attacks are attacks where the attacker is actually sitting between the victim and a legitimate host the victim is trying to connect to,” says Johannes Ullrich, dean of research at SANS Technology Institute. “So, they’re either passively listening in on the connection or they’re actually intercepting the connection, terminating it and setting up a new connection to the destination.” MitM encompasses a broad range of techniques and potential outcomes, depending on the target and the goal. For example, in SSL stripping, attackers establish an HTTPS connection between themselves and the server, but with an unsecured HTTP connection with the user, which means information is sent in plain text without encryption. Evil Twin attacks mirror legitimate Wi-Fi access points but are entirely controlled by malicious actors, who can now monitor, collect, or manipulate all information the user sends. “These types of attacks can be for espionage or financial gain, or to just be disruptive,” says Turedi. “The damage caused can range from small to huge, depending on the attacker’s goals and ability to cause mischief.” In a banking scenario, an attacker could see that a user is making a transfer and change the destination account number or amount being sent. Threat actors could use man-in-the-middle attacks to harvest personal information or login credentials. If attackers detect that applications are being downloaded or updated, compromised updates that install malware can be sent instead of legitimate ones. The EvilGrade exploit kit was designed specifically to target poorly secured updates. Given that they often fail to encrypt traffic, mobile devices are particularly susceptible to this scenario. “These attacks can be easily automated,” says SANS Institute’s Ullrich. “There are tools to automate this that look for passwords and write it into a file whenever they see one or they look to wait for particular requests like for downloads and send malicious traffic back.” 5 While often these Wi-Fi or physical network attacks require proximity to your victim or targeted network, it is also possible to remotely compromise routing protocols. “That’s a more difficult and more sophisticated attack,” explains Ullrich. “Attackers are able to advertise themselves to the internet as being in charge of these IP addresses, and then the internet routes these IP addresses to the attacker and they again can now launch man-in-the-middle attacks.” “They can also change the DNS settings for a particular domain [known as DNS spoofing],” Ullrich continues. “So, if you’re going to a particular website, you’re actually connecting to the wrong IP address that the attacker provided, and again, the attacker can launch a man-in-the-middle attack.” While most attacks go through wired networks or Wi-Fi, it is also possible to conduct MitM attacks with fake cellphone towers. Law enforcement agencies across the U.S., Canada, and the UK have been found using fake cell phone towers — known as stingrays — to gather information en masse. Stingray devices are also commercially available on the dark web.

A simple example to explain ‘Man-in-the-Middle Attack’

Suppose Alice wishes to communicate with Bob. Meanwhile, Mallory wishes to intercept the conversation to eavesdrop and optionally to deliver a false message to Bob. First, Alice asks Bob for his public key. If Bob sends his public key to Alice, but Mallory is able to intercept it, a MITM attack can begin. Mallory sends Alice a forged message that appears to originate from Bob, but instead includes Mallory’s public key. Alice, believing this public key to be Bob’s, encrypts her message with Mallory’s key and sends the enciphered message back to Bob. Mallory again intercepts, deciphers the message using her private key, possibly alters it if she wants, and re-enciphers it using the public key she intercepted from Bob when he originally tried to send it to Alice. When Bob receives the newly enciphered message, he believes it came from Alice. Let's see the stepwise description.

1.Alice sends a message to Bob, which is intercepted by Mallory:

Alice “Hi Bob, it’s Alice. Give me your key.” → Mallory Bob

2. Mallory relays this message to Bob; Bob cannot tell it is not really from Alice:

Alice Mallory “Hi Bob, it’s Alice. Give me your key.” → Bob

3. Bob responds with his encryption key:

Alice Mallory ← [Bob’s key] Bob

4. Mallory replaces Bob’s key with her own, and relays this to Alice, claiming that it is Bob’s key:

Alice ← [Mallory’s key] Mallory Bob

5. Alice encrypts a message with what she believes to be Bob’s key, thinking that only Bob can read it:

Alice “Meet me at the bus stop!” [encrypted with Mallory’s key] → Mallory Bob

6. However, because it was actually encrypted with Mallory’s key, Mallory can decrypt it, read it, modify it (if desired), re-encrypt with Bob’s key, and forward it to Bob:

Alice Mallory “Meet me at the van down by the river!” [encrypted with Bob’s key] → Bob

7. Bob thinks that this message is a secure communication from Alice.

This example shows the need for Alice and Bob to have some way to ensure that they are truly each using each other’s public keys, rather than the public key of an attacker. Otherwise, such attacks are generally possible, in principle, against any message sent using public-key technology. A variety of techniques can help defend against MITM attacks. Thus, this one of the simplest examples of this attack.

Man in the middle attack prevention

Blocking MITM attacks requires several practical steps on the part of users, as well as a combination of encryption and verification methods for applications. For users, this means:

1.Avoiding WiFi connections that aren’t password protected.

2.Paying attention to browser notifications reporting a website as being unsecured.

3.Immediately logging out of a secure application when it’s not in use.

4.Not using public networks (e.g., coffee shops, hotels) when conducting sensitive transactions.

For website operators, secure communication protocols, including TLS and HTTPS, help mitigate spoofing attacks by robustly encrypting and authenticating transmitted data. Doing so prevents the interception of site traffic and blocks the decryption of sensitive data, such as authentication tokens. It is considered best practice for applications to use SSL/TLS to secure every page of their site and not just the pages that require users to log in. Doing so helps decreases the chance of an attacker stealing session cookies from a user browsing on an unsecured section of a website while logged in.


Governments must refrain from using man-in-the-middle attacks to enable law enforcement access to private communications. Creating these capabilities greatly undermines security for all users and the infrastructure of the Internet. Bad actors could use the same methods created for law enforcement to perform their own attacks. We must make everyone aware of such cyber-attacks and make use of VPN’s as far as practicable. These services will encrypt our connection even on insecure HTTP websites and protect us from MitM attacks. Some security features, including location masking, bypassing geo-blocking and internet censorship, and overall internet security posture. All these features are especially important when regularly using open or public connections. Also, we can prevent such attacks by not opening doggy emails asking to update credentials, installing antivirus software, and ensuring all the sites we visit are HTTPS. MITM attacks present a real threat not only to the trust users have in the confidentiality and integrity of online communications but to the security and reliability of the global Internet. While internet thieves are sly and difficult to notice, we can never hurt learn more about avoiding them. Practices like these will not only make us conscious about our activities but also help make us securely surf the internet.