Man-in-the-Middle Attacks: Everything You Need to Know

Virus icon in between two smartphones, symbolizing a "Man-in-the-Middle attack"
In a hurry? Click here for a summary.
A Quick Guide: What is a Man-in-the-Middle Attack?

A man-in-the-middle attack is when a hacker compromises a network and listens in on or interacts fraudulently between two parties on the internet. This could be through email threads, social media messaging, or direct communication between a customer and a website.

Through this digital eavesdropping, malicious actors are able to obtain personal data, login credentials, or access to financial accounts. The “man in the middle” could also pose as someone you trust and dupe you into sending money to a fraudulent account.

There are ways to protect yourself against these attacks:

  • Be cautious with Wi-Fi networks. Make sure your home Wi-Fi is password-protected and don’t just use any public Wi-Fi.
  • Always use an HTTPS connection. Make sure you can see “https://” and a padlock in your browser next to the URL of the site you’re visiting.
  • Keep your software and operating systems up to date.
  • Get a good antivirus program, like Kaspersky, to protect your device against attacks and malware.
  • Use a VPN on public Wi-Fi networks. We recommend NordVPN for its top-of-the-line security protocols:

Want to learn more about man-in-the-middle attacks and how to protect yourself? Read our full article below.

The goal of a man-in-the-middle attack (also known as “MITM attack“) is to intercept your personal information, such as account login credentials, personal financial data, or credit card numbers. MITM hackers and attackers do this by wedging themselves between two parties online and intercepting and decrypting data.

If you fall victim to this kind of cyberattack, you could have your bank or cryptocurrency account drained, or fraudsters could dupe you into sending a legitimate transaction to a criminal account.

Though cybersecurity concerns and data breaches have become commonplace in today’s online world, many people don’t take the necessary precautions to keep their internet activities secure. This leaves them vulnerable to a variety of dangers lurking in the online shadows — including man-in-the-middle attacks.

Want to take a deep dive into MITM attacks? We’ll tell you how to prevent them and protect yourself.

What is a Man in the Middle Attack?

Imagine you’re depositing a check at the bank. As you write down your checking account number, there’s someone behind you peering over your shoulder and copying it down. Then they listen for your name and address and write that down, too. When you insert your debit card to prove to the bank teller that you’re you, they’re also watching you enter your PIN code.

A man-in-the-middle attack is all about watching and listening in. But when hackers commit MITM attacks online, they tend to do it a little more sophisticatedly. Through online tactics we’ll discuss later, they won’t just find out your information, but also know who you’re trying to communicate with. They can even impersonate your bank, a trusted business, or friend.

How does a man-in-the-middle attack work?

MITM attacks most often occur after a hacker gains control of a Wi-Fi network or creates a free unencrypted Wi-Fi connection. This way, the hacker is able to intercept data between two parties. These attacks are essentially a digital form of eavesdropping where hackers steal your personal or financial data through compromised networks.

How does a man in the middle attack work, infographic

This is the most dangerous version of a MITM attack, as everything said or shared can be easily read and stolen, without an attacker even needing to decrypt data. If you’re on a compromised network trying to access your online banking app, for example, a malicious actor could easily watch and record any sensitive information you enter.

These kinds of attacks can target any type of online communication, such as email exchanges, social media messaging, or website visits.

Since the hacker controls the Wi-Fi network, they can also pose as different parties and trick victims into handing over data, performing transfers, or other actions they might not have otherwise done.

Different Types of Man in the Middle Attacks

There are different ways in which an outside party can launch a MITM attack. They all include intercepting victims’ information and activity. Due to modern security protocols, hackers must often unencrypt the data as well, so that it’s readable and usable.

While intercepting, hackers redirect your online activity through their network before it reaches where you want it to go. This activity could include entering login credentials or credit card numbers, or even sharing private photos or videos with friends on a messaging app. Here are some common ways attackers intercept your data.

Wi-Fi eavesdropping

WiFi icon with virus iconThis is a tactic we mentioned earlier. Imagine you’re sitting in a Starbucks coffee shop and want to connect to their free Wi-Fi. You see “STRBUX Free Wi-Fi,” so you click it and connect your laptop. What you don’t realize is that a hacker, who is probably in close proximity to you, is now watching your every online move.

The hacker set up the Wi-Fi network to trick people into using it. Meanwhile, the hacker can note down passwords, usernames, and any private data users enter while on their network. Since it’s an insecure, unencrypted connection, decryption isn’t even necessary.

Email hijacking

Email icon with virus iconIn email hijacking attacks (which is also a form of phishing) a hacker targets the email accounts of organizations like banks and financial institutions. They gain access to the personal accounts of employees and customers to monitor transactions and queries.

If you’re trying to do some online banking, you might receive an email that looks like it’s coming from a trusted source at your bank. By following the instructions mentioned in the email, you could mistakenly send money to the attackers rather than where you intended the money to go.

IP spoofing

Virus icon over IP addresses iconAn Internet Protocol (IP) address is a unique number that identifies a network device. This number is linked to all your online activity and functions as a kind of electronic return address. Websites also have IP addresses.

In man-in-the-middle attacks, a hacker can spoof an IP address and trick your device into thinking you’re interacting with a familiar website like PayPal. In reality, you’re communicating with the hacker, and possibly giving them access to your private information.

DNS spoofing

Server icon with virus iconDomain Name System (DNS) spoofing is when a user is forced to access a fake website that is designed to look like a real one. This is similar to IP spoofing, but in this case, hackers reroute DNS queries to spoofed sites instead.

If you’re the target of DNS spoofing, you’re likely to believe that you’re visiting a legitimate site. Instead, you’re interacting with a hacker who is trying to divert traffic from the actual site and true DNS server so they can steal data like user login information. If you want to learn more about DNS and DNS servers, check out our full article here.

SSL stripping and hijacking

Lockpad with WiFi and virus iconsSites that handle sensitive financial info for customers — such as e-commerce sites like Amazon, banks, and cryptocurrency exchange platforms — use secure HTTPS website protocols. Websites that offer financial transactions need an SSL (Secure Sockets Layer) certificate for their site to keep customers’ information and privacy secure. This protocol is an extra layer of protection, as it encrypts the transfer of data between browsers and servers. Most browsers these days (Chrome, Firefox, Edge, etc.) will mark a site that isn’t using HTTPS as unsafe.

With a man-in-the-middle attack, a hacker intercepts and sends a compromised HTTP site back to the victim. This all happens in a brief moment. Let’s go through this process, using PayPal as an example again.

  1. A victim types in a secure HTTPS request for PayPal.
  2. The MITM (hacker) intercepts and sends the secure HTTPS request to the server.
  3. The server answers the secure HTTPS request.
  4. The MITM intercepts and sends an unsafe HTTP answer back to the victim.

As a result, the victim is redirected to a phony, unencrypted HTTP PayPal site where the hacker can log their account data. The victim might find out what’s happening only if they notice they’re using an HTTP connection instead of HTTPS or get a warning from their browser.

Browser window icon with virus iconA session hijacking attack takes place when you log into a website like your bank. A session is the period of time you spend logged into the site. These sessions are often targeted by hackers who want to obtain your information. There are various ways an attacker can access your session, but a common method is by stealing your browser cookies.

Cookies are small pieces of code that websites attach to your device to make your user experience better. With cookies, websites are able to remember things like your login information or the contents of your online shopping cart. Once a hacker has inserted themselves between you and the website, they can steal these cookies and decrypt them to figure out logins, passwords, or even stored credit card numbers and credentials.

5 Steps to Protect Yourself from MITM Attacks

Any internet user can be the target of a MITM attack. Though protecting yourself can be difficult considering the tricky nature of the attacks mentioned above, there are measures you can take. Here are five key tips to guard yourself against a man-in-the-middle attack.

Infographic that shows five steps to protect yourself from MITM attacks

1. Be cautious with Wi-Fi networks

Both your home network and public Wi-Fi networks can become the target of a MITM attack. Make sure your home Wi-Fi is secured and password protected. Your usernames and passwords should be strong, unique, and difficult to guess.

As for public Wi-Fi networks: proceed with caution. It’s best to avoid connecting to open networks, especially those without password protection. If you need to use one of these networks, avoid logging in and never use them to access financial accounts. An extra layer of protection on your devices won’t hurt, either — which brings us to our next point.

2. Use a VPN

When accessing a public Wi-Fi network, you should always use a VPN to keep yourself and your data safe. Installing a VPN is an extremely effective way to keep your data secure. Top VPNs create a military-grade encrypted connection that secures the data you send and receive while connected to  Wi-Fi.

Even if the network is compromised, a MITM hacker will be unable to see what you’re doing online if you use a VPN. This also means they will be unable to access your login credentials, financial data, and personal information.

For top-of-the-line security and privacy, we recommend NordVPN. It provides military-grade 256-bit encryption, the highest level security protocols, and has been proven to keep no logs of user activity through two independent audits.

Check Out NordVPN

3. Get premium antivirus software

If you’re on a compromised network, hackers can inject malware into your browser or device. Besides allowing them to read your login information, passwords, and other sensitive data, certain trojans and worms can also allow the attacker to breach networks and connections. Other malicious programs like ransomware, adware, and spyware can wreak all kinds of other havoc on devices and networks. That’s why the most important line of defense for any computer or network is strong antivirus software.

Good antivirus programs are constantly up to date on the latest threats. If you enact real-time protection, they’ll stop you from entering a malicious site that forces you to download malware or runs a MITM campaign. By regularly scheduled deep scans on your device, you’ll also root out any viruses, trojans, or worms that may have infected your device or network.

We’ve got a strong list of antivirus programs we recommend, but Kaspersky comes in at No. 1. It’s got strong anti-phishing and real-time anti-malware protection. It also allows your device to run at optimum performance while it’s active in the background.

Check Out Kaspersky Antivirus

If you’re on a budget and looking for free antivirus protection, check out our list of the top five free antivirus providers of this moment.

4. Only use HTTPS connections

In the past, most websites transmitted data over unsecured HTTP connections, but much has changed in recent years. Now, most websites use HTTPS connections as a defense against cyberattacks. They are a bit more complicated and cost more to set up, but companies have found that the extra time and cost are worth it.

Make sure you can see “HTTPS” in the URLs of the sites you visit and keep an eye out for a padlock icon in your browser. If you don’t see the HTTPS, add it manually. Then try reloading the site. If the lock is visible, this means your connection is secured.

Wells Fargo homepage screenshot, secured connection

5. Keep your systems and programs up to date

Hackers are constantly figuring out new ways to attempt MITM attacks and software developers often update programs and systems to combat this. Make sure you are diligent about keeping your systems and programs up to date.

Simply check your systems for updates and don’t postpone them. This includes updates on your web browser, your devices, and any apps on your computers and smartphones. These updates ensure that you’re getting all the latest security patches and fixes to keep out attackers.

Real-World Examples of MITM Attacks

MITM attacks are quite widespread, although they tend to happen on a small scale. Some experts have estimated roughly 35% of attacks that exploit cyber vulnerabilities have been MITM attacks. Hackers can drop in on a cafe or airport Wi-Fi connection and make a quick score. Even so, there have been some high-profile cases in the past decade.

  • In December of 2019, hackers pulled off what cybersecurity experts called the “ultimate” MITM score. Checkpoint Research said attackers were able to trick a Chinese venture capital firm into sending them $1 million meant for an Israeli startup. Hackers spoofed email domains, intercepted communication, and impersonated each party to misdirect the transaction. Attackers even canceled an in-person meeting to lock in the wire transfer fraud.
  • In March of 2019, CrowdStrike identified a collaborative effort between Lunar Spider and Wizard Spider, two of the largest cybercrime syndicates, to commit MITM attacks. Lunar Spider’s BokBot and Wizard Spider’s TrickBot banking malware worked together to conduct a blitz of fraudulent bank transfers. TrickBot would infect web hosts and provide false SSL certificates to downgrade security measures, while BokBot would redirect web traffic and inject code for malicious sites.
  • In 2017, credit score giant Equifax had to pull apps from the Google Play and Apple Store after a data breach. Cybersecurity analysts later discovered they weren’t properly using the HTTPS protocol, which allowed hackers to swoop in and read data on customers logging into their accounts with sensitive personal and financial data.
  • In 2015, a South London couple lost £340,000 when they provided their bank account information and sort code for a property sale. The email was intercepted by the hackers, who then pretended to be the real estate brokers and had the couple send the money to a fraudulent account.
  • Also in 2015, Europol arrested 49 members of an organized man-in-the-middle fraudster group for intercepting banking transfers in Spain, Italy, Poland, the UK, Belgium, and Georgia. Fraudsters typically posed as banks after intercepting communication and had victims send money to fraudulent accounts.
What is a Man-in-the-Middle Attack? | FAQs

Got a question about man-in-the-middle attacks? Click on any of our frequently asked questions below for an answer.

Man-in-the-middle attacks start when a hacker has compromised a network. They typically do this by hijacking a real public Wi-Fi network or tricking users into using the malicious Wi-Fi network they’ve set up. The hacker becomes the “man in the middle” by digitally eavesdropping on conversations or transactions between two parties. During this attack, hackers can easily obtain personal data, login credentials, access to financial accounts, or even trick someone into sending a transaction to their own account. For more information, read our full article.

Man-in-the-middle attacks are caused by the compromisation of a Wi-Fi network. This could be the hacking of a public or private network, or a hacker creating their own malicious Wi-Fi network for unsuspecting victims to connect to. Phishing emails can also lead victims to compromised websites where third parties collect their information.

To prevent man-in-the-middle (MITM) attacks,

  1. Make sure there is “HTTPS” and a padlock in your browser. You can also use HSTS protocols, which force your browser to only recognize HTTPS.
  2. Keep your systems up to date. Updates help patch vulnerabilities that might otherwise be exploited by hackers.
  3. Use a VPN. Premium VPNs use military-grade encryption, so hackers won’t be able to read your internet activity and traffic.

For more tips on preventing MITM attacks, check out our full article.

Tech journalist
Taylor is a tech writer and online journalist with a special interest in cybersecurity and online privacy. He’s covered everything from sports and crime, to explosive startups, AI, cybercrime, FinTech, and cryptocurrency. For he follows news and developments in online privacy, cybersecurity, and internet freedom.