MAN IN THE MIDDLE (MitM)

By: Justin Dempsey, Nex-Tech Technology Services Manager 

What is a Man in the Middle (MitM) attack? 

I always had concerns when I placed an order over the phone for a pizza that at the end of the month when I got my credit card statement, I would find that someone had used my card to purchase a new TV.  This is what a Man in the Middle (MitM) attack looks like. The difference is that instead of your credit card information, cyber attackers have your credentials and a multi-factor authentication (MFA) token.  

What is a token? In this instance, a token is something that is created during the multi-factor authentication request that is specific to the device and application requesting the authentication. Think of the Chrome browser on your work machine. This allows the device to be trusted and remembered for a defined period and will prevent the need to use MFA every time that device logs in.  

How do these cyberattacks start? 

MitM attacks that attempt to steal this token typically start when you receive an email from someone you do business with, or are in communication with, that contains a link to a document. This document may be listed as an invoice, bill, or some other important item. When you click on the link, it will take you to a login page. Here you are asked to enter your credentials and when prompted, your MFA code.  

At this point, you will probably get a spinning wheel of death and must close the window, leaving you to wonder if you did something wrong. This would be a good time to reach out to the sender through another means (call or text) to verify that the email was legitimate. Remember to avoid asking via email, as this allows the adversary to respond instead. 

If you’re wondering what happened behind the scenes, here’s an inside look. The link goes to a site hosted on the adversary’s machine that appears to be the official login page. When you enter your information into this phony site, cyber criminals pass it to the real site, but capture your username and password. If the real site requests multi-factor authentication, they capture that too. Because this whole process occurred on their machine, the adversaries now have a token telling the site not to ask for MFA from them again, until the token expires. 

Why would cybercriminals perform a Man in the Middle attack? 

In the small business sector, most attacks are financially motivated. I am seeing an increase in the use of compromised accounts in attacking other companies, typically related to financial matters. The attacks may compromise a vendor you do business with and send updated banking information which directs payments to an account owned by the adversary. Similarly, they may compromise your business and send fake invoices and/or updated payment requests to your customers. They may also contact your bank and request money transfers to adversary-controlled accounts. 

What are the best ways to prevent a Man in the Middle attack? 

How do you prevent it? If your process has never required you to login before, the first question you need to ask is, “Why do I need to login to access something this time?”  

99% of the time, you should not have to login to access this type of information. In the rare instance you do, it would be beneficial to call the individual and double check first. Continuous end-user training using Security Awareness Training software will allow you to ensure staff are keeping up with the latest attacks. You’ll also be able to track their growth progress (Ask your IT provider for more details!). 

These attacks continue to grow in sophistication and cyber criminals are getting better at evading the defenses put in place. The fast pace of this ongoing arms race between adversaries and defense systems means that most companies do not have the in-house knowledge to keep up. At the end of the day, the businesses that I have seen successfully defend against attacks realized they need both good IT engagement and a strong focus on education of the end user. 

For more information on how Nex-Tech can help your business create that successful defense combination, visit nex-tech.com/cybersecurity or fill out the form below.