What is a man-in-the-middle attack?


A man-in-the-middle attack is like eavesdropping. When data is sent between a computer and a server, a cybercriminal can get in between and spy. A man-in-the-middle attack requires three players: the victim, the entity with which the victim is trying to communicate, and the “man in the middle” who’s intercepting the victim’s communications.

Man-in-the-middle attacks require three players. There’s the victim, the entity with whom the victim is trying to communicate, and the “man in the middle,” who intercepts the victim’s communications. Critical to the scenario is that the victim isn’t aware of the man in the middle. To simply define a man-in-the-middle attack, an attacker intercepts communication between users for malicious purposes.

How does a man-in-the-middle attack work?

How does this play out? Let’s say you received an email that appeared to be from your bank, asking you to log in to your account to confirm your contact information. You click on the link, included within the received email and are taken to what appears to be your bank’s website, where you log in and perform the requested task.

In such a scenario, the email will appear as if it’s legitimate while the man-in-the- middle sends it with malicious purpose. (This attack involves phishing, getting you to click on the email seemingly received from your bank.) Then, the email will take you to a website that looks just like your bank’s official page, so you wouldn’t hesitate to enter your login credentials. But when you do that, you’re not logging into your bank account; you’re handing over your information to the attacker.

MITM attacks: Close to you or with malware

Man-in-the-middle attacks come in two forms, one that involves physical proximity to the intended target and another that involves malicious software (malware) infection. This second form, like our fake bank example above, is also called a man-in-the-browser attack.

Cybercriminals typically execute a man-in-the-middle attack in two phases — interception and decryption.

With a traditional MITM attack, the cybercriminal needs to access to an unsecured or poorly secured Wi-Fi router. These types of connections are generally found in public areas with free Wi-Fi hotspots, and even in some people’s homes - if they haven’t protected their network. Attackers can scan the router looking for specific vulnerabilities such as a weak password.

Once attackers find a vulnerable router, they deploy tools to intercept and read the victim’s transmitted data. Then, they’ll infect your transfer activity with the websites while you enter your login credentials, banking information, and other personal information.

A successful man-in-the-middle attack does not stop at interception. The victim’s encrypted data must then be unencrypted, so that the attacker can read and act upon it.

What is a man-in-the-browser attack?

With a man-in-the-browser attack (MITB), an attacker needs a way to inject malicious software, or malware, into the victim’s computer or mobile device. One of the ways this can be achieved is by phishing.

When a fraudster sends an email to a user that appears to have originated from a reliable source, such as a bank, as in our original example, it is called phishing.1 By clicking on the link or opening an attachment in the phishing message, the user can unwittingly load malware onto their device.

Hacker can infect a browser with spyware and malicious files without the user being notified. The malware records the data sent between the victim and specifically targeted websites, such as financial institutions, and transmits it to the attacker.

7 types of man-in-the-middle attacks

Cybercriminals can use MITM attacks to gain control of devices in a variety of ways.

1. IP spoofing

Every device capable of connecting to the internet has an internet protocol (IP) address similar to the street address for your home. By spoofing an IP address, an attacker can trick you into thinking you’re interacting with a website or someone you’re not, perhaps giving the attacker access to the information you’d otherwise not share.

2. DNS spoofing

Domain Name Server, or DNS, spoofing is a technique that forces a user to a fake website rather than the real one the user intends to visit. If you are a DNS spoofing victim, you may think you’re visiting a safe, trusted website when you’re interacting with a fraudster. The perpetrator’s goal is to divert traffic from the actual or capture user login credentials.

3. HTTPS spoofing

When doing business on the internet, seeing “HTTPS” in the URL, rather than “HTTP” signifies that the website is secure and can be trusted. In fact, the “S” stands for “secure.” An attacker can fool your browser into believing it’s visiting a trusted website when it’s not. By redirecting your browser to an insecure website, the attacker can monitor your interactions with that website and possibly steal the personal information you’re sharing.

4. SSL hijacking

When your device connects to an unsecured server — indicated by “HTTP” — the server can often automatically redirect you to the secure version of the server, indicated by “HTTPS.” A connection to a secure server means standard security protocols are in place, protecting the data you share with that server. SSL stands for Secure Sockets Layer, a protocol that establishes encrypted links between your browser and the web server.

In an SSL hijacking, the attacker uses another computer and secure server and intercepts all the information passing between the server and the user’s computer.

5. Email hijacking

Cybercriminals sometimes target email accounts of banks and other financial institutions. Once they gain access, they can monitor transactions between the institution and its customers. The attackers can then spoof the bank’s email address and send their own instructions to customers, convincing them to follow the attackers’ instructions rather than the bank’s. As a result, an unwitty customer may end up putting money in the attackers’ hands.

6. Wi-Fi eavesdropping

Cybercriminals can set up Wi-Fi connections with very legitimate sounding names, similar to a nearby business. Once a user connects to the fraudster’s Wi-Fi, the attacker will monitor the user’s online activity and intercept login credentials, payment card information, and more. This is just one of several risks associated with using public Wi-Fi. You can learn more about such risks here.2

7. Stealing browser cookies

To understand the risk of stolen browser cookies, you need to understand what one is. A browser cookie is a small piece of information a website stores on your computer.

For example, an online retailer might store the personal information you enter and shopping cart items you’ve selected on a cookie, so you don’t have to re-enter that information when you return.

A cybercriminal can hijack these browser cookies. Since cookies store information from your browsing session, attackers can access your passwords, address, and other sensitive information.

How to help protect against a man-in-the-middle attack?

With the number of tools readily available to cybercriminals for carrying out man-in-the-middle attacks, it makes sense to take steps to help protect your devices, your data, and your connections. Here are just a few.

  • Make sure “HTTPS” — with the S — is always in the URL bar of the websites you visit.
  • Be wary of potential phishing emails from attackers asking you to update your password or any other login credentials. Instead of clicking on the email link, manually type the website address into your browser.
  • Never connect to public Wi-Fi routers directly, if possible. A VPN encrypts your internet connection on public hotspots to protect the private data you send and receive while using public Wi-Fi, like passwords or credit card information. You might want to consider Norton VPN for better security against such exposed networks.3
  • Always clear browsing cookies unless they do not store your sensitive info.4 If you really need to keep the cookies, use a VPN while operating those data online to conceal them from "man-in-the-middle”
  •  Since MITB attacks primarily use malware for execution, you should install a comprehensive internet security solution, such as Norton Security, on your computer. Always keep the security software up to date.5
  • Be sure that your home Wi-Fi network is secure. Update all of the default usernames and passwords on your home router and all connected devices to strong, unique passwords. 

With the rapid advancement of the internet world, it’s essential to understand the types of threats that could compromise your personal information stored online and that might be accessible to ill-users. Stay informed and make sure your devices are fortified with proper protection.






Clare Stouffer
  • Clare Stouffer
  • Gen employee
Clare Stouffer, a Gen employee, is a writer and editor for the company’s blogs. She covers various topics in cybersecurity.

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc. 


    Want more?

    Follow us for all the latest news, tips and updates.