What Is a MITM Attack? Man in the Middle Attacks, Explained

Imagine you’re at your favorite coffee shop. You decide to connect to the free WiFi available and then proceed to open your bank app to make payment. Everything seems normal: you log in, see your balance, make the transfer, log out.

Unbeknownst to you, an attacker has set up a fake WiFi hotspot that looks identical to the coffee shop’s network. As you entered your login credentials, they were intercepted, and now someone else has access to your bank account. This is a classic example of a man in the middle (MITM) attack.

A MITM attack is a common cybersecurity threat where an attacker secretly intercepts and manipulates communication between two parties who believe they are directly communicating with each other. These attacks can expose sensitive data, disrupt operations, and compromise trust — making them a significant concern for individuals and organizations alike.

According to research, you are always at risk of these eavesdropping incidents:

• MITM attacks are responsible for 19% of successful cyberattacks in 2024.
• MITM-compromised emails have increased by 35% since 2021.
• As of 2024, only 15% of business organizations have implemented HTTP Strict Transport Security (HSTS) that actively prevents MITM attacks.

Some organizations and cybersecurity experts view the term “man-in-the-middle” as inaccurate, because of scenarios where the attack is not carried out by a person but by a different entity like a bot, device or malware.

Alternative terms for man-in-the-middle attack include adversary-in-the-middle (AITM), manipulator-in-the-middle, on-path attack, and monkey-in-the-middle attack.  

How do MITM attacks work?

An MITM attack consists of two main phases: interception and decryption.

Phase 1. Interception

This is the phase where the attacker intercepts the information from the target before it reaches the intended destination. A common way to do this is to set up malicious Wi-Fi spots that users can connect to for free. All transactions conducted over the Wi-Fi network will be recorded by the attacker.

Phase 2. Decryption

The decryption phase is where the stolen data is decoded and decrypted. This needs to be done without alerting the user, the application, or the service provider.

A Man in the Middle attack is a common cyberattack that involves a third-party intercommunicating node eavesdropping communications between a client and a server. The scenario involves the client and server communicating in a pseudo-secure network environment, which assumes that data is only transferred between the authorized, trusted and intended parties. Sometimes these attacks are known as “adversary in the middle” attacks.

Consider a simple example of two individuals, Alice and Tony, sharing sensitive documents over the network. After a connection between the two parties is established, a third entity, Eve, hijacks the session. Eve impersonates Tony and asks Alice to send her the documents. Eve then modifies the documents and sends them to Tony, pretending to be Alice.

Both Alice and Tony believe they are communicating with each other — in reality, Eve intercepted the communications channel and leaked and modified the data.

(See how XSS and brute force attacks work.)

Common techniques in MITM attacks

A Man in the Middle attack is accomplished in several ways. Let’s review the most common ways that MITM attacks occur.

ARP spoofing

Address Resolution Protocol (ARP) spoofing refers to the MITM technique where the MAC address of the attacking server is linked to the IP address of the legitimate recipient. When the URL is resolved to the IP address of this recipient, the traffic is instead routed to the attacking server.

ICMP packet spoofing

ICMP is part of the Internet protocol suite that communicates diagnostic information between the client and server. The ICMP MITM attack redirects traffic to a routing device controlled by the attacker, before sending it to a gateway connected to the intended recipient.

Any communications received to the gateway are also routed to the attacker’s MAC address before sending it to the victim client.

DNS poisoning & spoofing

The attacker alters the website address record on the DNS server. In this case, a correct website URL resolves to an IP address that belongs to the attacker. Instead of returning the intended website, a fake website impersonating the original one is returned and engages the victim.

• DNS poisoning refers to the practice of replacing legitimate URL-IP address mappings with a fake redirect.
• DNS spoofing is the end result of the redirected website routed via a poisoned cache.

(Related reading: DNS security explained & what is spoofing?)

WiFi eavesdropping

This attack is also known as the Evil Twin attack — it tricks users into connecting to a malicious WiFi hotspot that resembles a legitimate WiFi connection.

For example, a WiFi hotspot with a similar name as your organization’s WiFi lets you connect and has access to all data transmitted over your network connection.

HTTPS sniffing

The attacker swaps the secure HTTPS links between the server and the client, with insecure HTTP links. The attacker then establishes a middle-man HTTPS connection with the server itself, while keeping an HTTP connection with the victim client.

This allows the middleman attack to access sensitive data such as login credentials, while the connection to the server is still presented as a secure HTTPS channel.

SSL session hijacking

A fake HTTPS certificate may be forwarded to the victim, which tricks them to believe that the connection is HTTPS secure. The attacker generates and sends fake authentication keys to both the client and the server during a TCP handshake, which sets up an apparently validated HTTPS secure communication channel.

Man-in-the-browser (MITB) attack

Man-in-the-browser is a form of MITM attack where an attacker inserts malware (e.g. trojan horse) into a victim’s web browser through an infected app, plugin, or extension.

The main goal of this type of attack is to intercept and modify the user’s web transactions, typically for financial gain, where the attacker manipulates internet banking services and changes transaction verifications to gain monetarily from the victims.

Preventing and mitigating man-in-the-middle attacks

Mitigating an MITM attack can help a business or individual reduce the potential harm caused by an attacker.

Here are some methods of detection:

Avoid public WiFi

Avoid public and open WiFi networks where possible, if you need to connect use a VPN to avoid eavesdropping or use a captive portal that requires authentication. You should also avoid connecting to strange networks with suspicious names. Secure your WiFi networks with WPA3 encryption, also use strong and complex passwords, and change them periodically.

Keep device software updated

Man-in-the-middle attacks exploit known vulnerabilities in outdated systems. Keep your software, routers, and firewalls updated to patch security holes, and don’t forget firmware updates on network devices.

Notice strange activities and web addresses 

Pay attention to the URLs you visit for suspicious or unusual web addresses. DNS hijacking can generate spoofs of familiar web addresses, typically with subtle alterations that are barely noticeable and easily overlooked.

For example, an attacker might replace “www.google.com” with “www.g00gle.com” This spoofing method is highly effective because most people miss these simple changes. 

Notice sudden disconnections and network delays. An obvious sign of a potential man-in-the-middle attack is a sudden, unexpected network delay or disconnection.

If you frequently encounter disconnections or delays on your network, it’s worth investigating further to ensure the issue isn’t something more than a simple network problem, because attackers will deliberately disconnect user sessions to capture authentication details when the user attempts to reconnect.

Examine changes in latency

The latency of a network is the time it takes for data to travel from a source to a destination and back again.

To monitor the latency of a network typically involves doing something complex, like calculating a hash function. Since multiple transactions are utilized on the same transaction, their individual response time needs to be similar. If the transactions take longer to respond, it could mean a third party manipulating the transfer — hence a possible “Man-in-the-Middle” attack.

This latency comparison can be done using timestamps in the TCP packet headers, by analyzing the difference between timestamps recorded during packet transmission and reception.

Follow cybersecurity best practices

Ensure you're using SSL/TLS certificates and keep them up to date. SSL/TSL certificates verify website legitimacy, and certificate pinning prevents attackers from using fake certificates. Public Key Infrastructure (PKI) manages digital certificates and public keys, ensuring secure and trusted communications through encryption. 

Implement strong authentication mechanisms and mutual authentication for an added layer of security.

• Two-factor authentication (2FA) makes it harder for attackers to impersonate users
• One-time-password (OTP) limits the use of intercepted credentials

Although quantum cryptography provides tamper-evidence through protocols like quantum key distribution (QKD). No measurable result of its consistent practical application has been achieved. However, with mutual authentication like mutual TLS (mTLS), the server and the client can perform mutual authentication before sharing data. If the identity of either party can’t be established, the session is terminated, preventing MITM attacks.

Deploy behavioral monitoring and intrusion detection systems to alert you to unusual activity like unexpected logins, abnormal IP addresses, or unusual traffic patterns.

In summary

While MITM attacks have become less frequent due to advancements in cybersecurity, they remain a persistent and evolving threat, particularly from sophisticated attackers exploiting vulnerabilities in communication systems and endpoint devices.

Reliance on a single strategy is unlikely to prove an optimal approach. A layered security approach leveraging multifactor authentication, Public Key Infrastructure (PKI), encrypted communication protocol, and behavioral monitoring systems is required. Also, it is important to encourage cybersecurity awareness and provide regular training to help staff recognize and respond to MITM threats.