A Man-in-the-Middle attack takes place when communication between to devices is intercepted by a third party.
This communication could be email, Internet browsing etc and the attacker not only gains the access to the information being passed, they also are able to target other information contained on the participants.
The third party ( Man-in-the-Middle) sits between the computer user and their Internet connection making them able to intercept and record all data submitted, including login and financial information.
Access is made by a Man-in-the-Middle hacker to the email accounts of businesses, including banks, the attacker then monitors the activity for transactions and then they respond to the customer whilst spoofing the companies email address and inserting their own bank details instead of the company’s.
The customer then receives the fake email that actually appears to be legitimate as it appears to be from a company with whom they are dealing with regarding a transaction that they are aware of, however, is actually from the Man-in-the-Middle attacker.
The payment is then unwittingly made by the customer to the Man-in-the-Middle hacker instead of the company.
Typically, email hijacking takes place through phishing, spoofing, password guessing or cracking.
The Man-in-the-Middle hacker can then use the account that had been compromised to retrieve further personal and financial information of the user.
Through the use of Secure/Multipurpose Internet Mail Extensions (S/MIME), any emails sent are encrypted, meaning that they cannot be intercepted and/or altered.
Email is sent via SMTP (Simple Mail Transfer Protocol) that can be configured to require encryption to specific servers.
Specialist email encryption applications and services are also available that can be used to help prevent email hijacking, including Protonmail and Mailfence.
A Man-in-the-Middle hacker can provide a wifi connection that appears legimate, users connect to it and the hacker is then granted access to the connecting device.
This type of attack is often known as an “evil twin” attack and the suspect is tricked into connecting to a malicious Wireless network that has been set up by the hacker. This network is often one in a public area that people may believe is a safe network, such as a coffee shop or a hotel etc and names the network after the business location.
Once a victim has connected to their network, the Man-in-the-Middle hacker attacker can force users to visit unencrypted websites or force them to visit fake versions of legitimate websites in order to gain account information of the user.
Public wireless networks are unsafe and should be used with caution. For example, access to banking websites or social media sites should be avoided on non-secure wireless networks.
When access is established to a website, a connection between the device and the site is made.
Session Hijacking, sometimes known as cookie hijacking is the unauthorised access of that connection through the theft of a magic cookie that is normally used to authenticate the device.
After obtained the magic cookie the Man-in-the-Middle hacker may user the ‘Pass the Cookie’ technique to perform session hijacking.
The ‘Pass the Cookie’ technique is often carried out through the following steps:
- The cookie is acquired from the victims device
- Use the Developer Console within Mozilla Firefox to set the cookie via document.cookie=”key=value”
- The page is then refreshed and the hijacker is not logged in to the website as the victim.
HTTP is an Internet Protocol and is used for the majority of web browsing and messaging.
HTTP communication is not protected and is straight forward to intercept when the attacker can sit between the device and Internet connection and eavesdrop on their activity.
The HTTPS protocol uses SSL/TLS certificates and uses an encrypted secure connection between the device and the website hosting server meaning that the attacker is not able to eavesdrop of the communication.
Each device on a network is identified through the use of an IP address (Internet Protocol) and this is used to communicate with other devices on that network.
An IP spoofing attack takes place when a Man-in-the-Middle hacker uses the IP address of another legitimate device to gain access to information on the victim device that would normally not be accessible.
Within Man-in-the-Middle cases, the hacker sits in between the 2 devices whilst spoofing their IP address of the other which causes the information network packets to be sent to their computer instead of being sent to its intended destination.
Man-in-the-Middle hackers are able to use IP spoofing to carry out other types of computer crime, such as DDoS attacks, where the attacker floods a server by using targeted traffic from multiple sources.
The best method of avoiding a Man-in-the-Middle hacker attack is by using encrypted connections where the data being transferred is encrypted that only the sender and the recipient knows. This also prevents a hacker from obtaining unauthorised access to a network by spoofing an IP address of an authorised device.
Domain name system (DNS) enables the translation of domain names to the IP address of the server that it corresponds to.
Therefore, it allows the user to deal with names (such as google.co.uk or athenaforensics.co.uk) rather than IP addresses that consist of numbers.
The DNS functions by identifying the IP address that relates to the selected website address requested by the user and then sending the user to the desired site.
DNS Spoofing is an attack where a DNS request is intercepted by a Man-in-the-Middle attacker and returns the address that leads to the attackers server rather than the legitimate site.
Through this method, victims can enter their details into the fake website without being aware that it is not the real website. The account details for the real site can then be recorded and used by the Man-in-the-Middle attacker on the legitimate website.
As an example, the victim visits a page purporting to be a website for a bank, however, is actually a fake website that then records their login details. That information is retained by the fake site to be used within the actual bank website when access to their bank account can then be made.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on email@example.com, further details are available on out contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our computer forensics experts are fully aware of the significance and importance of the information that they encounter. Our computer forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.