The motive for the vast majority of cybercrime is either to steal money or data. These attacks are sometimes small, targeting individuals, or sometimes massive, targeting large enterprises and stealing thousands of users’ details. In the majority of cases, attacks try to infect their targets with malicious code, as this is the easiest way to achieve their goals, but when this isn’t an option, they often turn to man in the middle (MITM) attacks.
Jayson O’Reilly, director of sales and innovation at DRS, says this attack vector sees the threat actor placing himself or his tools between the victim and the resource, be it an e-mail account, or a banking Web site.
“Network traffic usually travels directly between two machines that communicate with each other via the Internet. MITM attacks employ ARP spoofing to fool the one user’s machine into believing it is communicating with the other user’s one. However, in reality, the network traffic between the machines is flowing through the cyber criminal’s system, allowing him or her to scrutinise the traffic for anything that might be valuable or of interest.”
He adds that this sort of attack works very well at places that offer WiFi, such as cafes, restaurants and museums. “In any type of open network you are exposed, as the networks are unencrypted and stealing data is child’s play.”
According to O’Reilly, MITM attacks are hard to avoid using only traditional security tools that come with new machines. “Using encrypted network connections, either through secure browsing with HTTPS or through virtual private network (VPN) technology can make it extremely tricky for attackers to succeed.”
He says HTTPS works as it employs the secure socket layer (SSL) ability in the browser to shield Web traffic from snooping.
“When communicating over the Web using HTTPS, the browser uses certificates to ensure the servers you are connecting to are legit. These certificates are recognised and vetted by trusted third-party sites such as authentication provider VeriSign. If the browser fails to recognise the authority of the certificate that a server has sent, it will pop up a warning message, and you will know that server is not to be trusted.”
Similarly, some VPNs make use of the SSL, and as such, the threat actor would need to get his hands on the encryption keys if he wanted to snoop on the network traffic. “This isn’t impossible, but it does put a spanner in the works. Until bullet proof solutions are found, use these two tools and stay away from Web servers that you suspect might be dodgy,” O’Reilly concludes.