Skip to content


Man-in-the-middle attacks are also referred to as monkey-in-the-middle, monster-in-the-middle, machine-in-the-middle, and man-in-the-browser attacks. Man-in-the-middle is the most common type of cyber attack in which the attackers focus on browser infection and inject malicious malware into the victim’s device. This malware is injected through phishing emails. The main objective behind these cyber attacks is to steal financial information by intercepting a user’s traffic to a financial website.

MITM cyber attacks are a serious threat to online security as they allow an attacker to capture and manipulate confidential personal information such as login credentials, account details, and credit card numbers in real-time.

What is MITM?

A man-in-the-middle attack is a type of cyber attack, where attackers interrupt communication or data transfer. The attackers insert themselves in the middle of the transfer, pretending to be legitimate participants. This enables an attacker to intercept data and information from either party while also sending malicious links or information to both legitimate participants in a way that might not be noticed until it is too late.

Man-in-the-middle attacks enable eavesdropping between participants, clients, and servers. This can include Wi-Fi network connections, HTTPS connections to websites, other SSL/TLS connections, and many more.

The goal of an attack is to steal confidential information, such as account details, login credentials, and credit card numbers. Targets typically use financial applications, e-commerce sites, SaaS businesses, and other websites where logging in is mandated.

Information obtained during MITM attacks is used for many purposes, including unapproved fund transfers, illicit password changes, or identity theft. Additionally, it can infiltrate a secure perimeter as part of an advanced persistent threat (APT) assault.

MITM attacks are similar to a mailman opening your bank statement, grabbing your account details, and then resealing it before delivering it.

How does MITM work?

During MITM attacks, attackers insert themselves in the middle of online communication or data transactions. The malware allows attackers easy access to users’ web browsers and the data they send and receive during transactions through the distribution of malware. Online banking and e-commerce sites, which require secure authentications, are the primary targets of MITM attacks as they allow attackers to capture login credentials and other confidential information.

Generally, MITM attacks are accomplished through a two-step process known as data interception and decryption. Data Interception entails attackers intercepting the data transferred between a client and a server, compelling them to believe that they are exchanging information. In the meantime, the attacker intercepts data, establishes a connection to the real website, and acts as a proxy to read and inject false information.

Steps involved in the Data Interception technique:

  1. An attacker installs a packet sniffer to gauge insecure network traffic, such as a user accessing an HTTP-based website or using a non-secure public hotspot.
  2. Once the user logs into the insecure website, the attacker retrieves the user’s confidential data and redirects them to a fake website.
  3. The fake website spoofs the original website and gathers all the relevant user data, which the attacker can use to access resources on the original website.

The decryption stage is where the intercepted data is unencrypted. This step enables the attacker to decrypt the data and use it to their advantage; for example, they cause disruptions to business operations or execute identity theft.

Types of MITM

1. ARP Spoofing or ARP Cache Poisoning

Fig 2.1 ARP Spoofing

Address Resolution Protocol translates the physical address of a device ( MAC – media access control address) and the IP address assigned to it on the local area network. An attacker who uses ARP spoofing injects false information into the local area network to redirect connections to their device.

Here’s how ARP spoofing happens:

  • The attacker injects fraudulent ARP packets into your network.
  • The ARP packets say that the address belongs to the attacker’s device with a MAC address of 11:0a:91:9d:96:10 and not to your router.
  • The ARP cache stores incorrect information associating the IP with MAC 11:0a:91:9d:96:10.
  • Your laptop connect to the attacker’s machine rather than connecting to your router,
  • The attacker’s machine then connects to your router and connects you to the Internet, allowing the attack to modify your connection to the Internet.

2. IP Spoofing

Fig 2.2: IP Spoofing

IP spoofing happens when one machine pretends to have another IP address, usually the same one as another. Here’s how it happens:

  • The attacker enters your LAN with IP address and runs a sniffer allowing them to see all IP packets in the network.
  • Attackers then intercept your connection to the router IP address, they look for packets between you and the router to foreshadow the sequence number.
  • The attacker sends a packet from their laptop with the source address of the router ( at the right moment and the correct sequence number, tricking your laptop.
  • Then the attacker floods the real router with a DoS attack, disabling it for a moment and enabling their packets to reach you before the routers do.
  • Your laptop is now assured that the attacker’s laptop is the router, completing the man-in-the-middle attack.

3. DNS Spoofing

Fig 2.3: DNS Spoofing

ARP spoofing and IP spoofing both depend on the attack connected to the same LAN as you, but DNS spoofing attacks can come from anywhere. DNS spoofing is more challenging as it relies on a vulnerable DNS cache, and its worst part is a large number of people may be affected.

Here is an example of DNS spoofing:

  • The attacker knows you use as your resolver (DNS cache), and this resolver is vulnerable to poisoning.
  • The attacker poisons the resolver and stores your bank’s website information on their fake website’s IP address
  • When you type in your bank’s website into the browser, you see the attacker’s site, and then the attacker connects to the original site and completes the attack.

4. HTTPS Spoofing

Fig 2.4: HTTPS Spoofing

Web browser spoofing is a type of typosquatting where an attacker registers a domain name that looks very similar to the domain address you wanted to connect to. Then they deliver the fake URL to use other approaches such as phishing.

The Google security team considers the address bar is the most crucial security indicator in modern browsers. It gives authenticity and verifies that you are on the right website.

5. Email Hijacking

Fig 2.5: Email Hijacking

An attacker who compromises an email account and gathers confidential data by eavesdropping on email conversations is called Email Hijacking. It makes social engineering attacks very effective by imitating the person who owns the email and is usually used for spearphishing.

6. WiFi Eavesdropping

Fig 2.6: WiFi Eavesdropping

Unencrypted Wi-Fi connections are effortless to eavesdrop on. Imagine having a conversation in a public place where anyone can listen in. The best way to limit your exposure is to set your network to private, which disables Network Discovery and prevents other users from accessing your device.

7. SSL Hijacking

Fig 2.7: SSL Hijacking

An attacker blocks a connection and generates SSL/TLS certificates for all domains you visit. They present the fake certificate to you, set up a connection with the original authentic server, and then relay the traffic.

This strategy works only if the attacker can make your browser believe the certificate is trusted by a Certificate Authority (CA). Else, your browser will refuse to open the page or display a warning.

Here’s how SSL Hijacking works:

  • An attacker uses a separate cyber attack to get you to download and install their CA.
  • When you visit a secure website, say your bank, the attacker blocks your connection, generates a certificate for your bank, signs it with their CA, and serves the website back to you.
  • Your browser thinks the certificate is original, as the attack has tricked your computer into thinking the CA is a trusted source.
  • The attacker sets up a connection with your bank and transfers SSL traffic through them.

8. Session Hijacking

Fig 2.8: Session Hijacking

A man-in-the-middle attack that typically compromises social media accounts is called Session Hijacking. Social media websites store a session cookie on your devices, these cookies are then invalidated when you log out. But when the session is active, the cookie provides your identity, access, and tracking information.

Attackers can gain access to your account by stealing a session cookie through malicious malware, browser hijacking, or cross-site scripting by running malicious JavaScript on popular web applications.


How to Detect and Prevent MITM Attack

Detecting a Man-in-the-middle attack can be challenging without taking the proper steps. A Man-in-the-middle attack can potentially go undetected until it is too late if you are not actively looking for intercepted communications. Checking for page authentication and implementing tamper detection are typically the key methods to detect a possible attack.

The most suitable countermeasure against man-in-the-middle attacks is to control them. It will be quite challenging to prevent an attacker from intercepting your connection if they have access to your network. It can be ensured with strongly encrypted communication

Here are some tips you can follow to avoid man-in-the-middle:

  • Virtual Private Network (VPN) encrypts your web traffic by limiting an attacker’s ability to modify communication.
  • Network intrusion detection systems (NIDS) are placed at strategic points to monitor traffic from all devices on the network. Analysis of the passing traffic on the subnet is carried out, and it compares that traffic with the library of known attacks. Once abnormal behavior or an attack is identified, an alert message is sent to a cybersecurity professional. 
  • The firewall helps to prevent unauthorized access.
  • Sign-out can avoid session hijacking of any unused accounts to invalidate session cookies.
  • Force encryption: Avoid sharing sensitive details or credentials on sites without HTTPS
  • Install HTTPS – Chrome security extension that compels SSL connection wherever possible.
  • Use a password manager: Avoid auto-filling passwords on disreputable sites.
  • Two-factor authentication is the best way to prevent email hijacking as it requires additional authentication with your password.
  • Patch software and hardware to ensure that all your tools are up-to-date to avoid man-in-the-middle attacks.
  • Use secure DNS servers (DNS cache): Ensure your DNS servers are secure and safe.
  • Application security: ensure your website or applications are regularly scanned for vulnerabilities and fixed. 
  • Think about what you install:  Install browser software and add-ons only if you know they are from a reputable source.
  • Avoid public Wi-Fi networks: Configure your device’s manual connection while using public Wi-Fi.
  • Antivirus and antimalware: Make sure your system boots with antivirus and antimalware software that includes a scanner to prevent man-in-the-middle attacks.
  • Understand common phishing scams: Email attachments from phishing emails are a common attack vector, if you’re not sure who the email came from, pick up the phone and ask.


Internet-connected devices are increasingly becoming the target for phishing and other cybersecurity threats. One way to reduce these attacks is by embracing a secure software development life cycle. Manual penetration testing and static code can detect security vulnerabilities before exploitation.