MIMA -Man in the Middle attack

MIMA -Man in the Middle attack, (Credit card / Online/Net banking steal.)

A Man-in-the-Middle (MITM) attack happens when a hacker acts as a bridge between a user and a website. This kind of attack can occur in several forms. For example, a fake banking website may be used to capture financial login information. So, in this case the fake banking site is “in the middle” between the user and the actual bank website.

The main intention of the hackers behind performing a Man-in-the-Middle attack is to steal user login credentials, financial details, credit card numbers, Banking details, personal information and other critical data.

The data which is extracted by the hackers during the attack could be used for identity theft, i.e. the hacker gets the user’s data and applies for a credit card by providing the hacked details such as Account number, Account holder name to the bank to perform unauthorised fund transfers or illegal change of passwords.

Main Thoughts of a Man-in-the-Middle Attack:

A Man-in-the-Middle Attack is a spying attack, hand-held by the hacker himself to obstruct with a communication session between the system and the end user.

This kind of attack helps attackers to use the real-time processing of the user’s conversations, transactions or exchange of other data.

MITM Attack Progress:

A Man-in-the-Middle attack can be carried out in two different ways

a)     Interception

b)     Decryption

Interception:

At the first step, the user traffic is restricted through the attacker’s network even before it reaches the required destination websites.

The simplest way for hackers is to exploit the user’s system when they get connected to free public WiFi hotspots which are not password protected. So when the target victim gets connected to the public hotspot, the hacker from the other end gains access to the actual data exchange.

Interception can be one of the following attacks:

IP Spoofing: This is a method, through which the attackers conceal their own identity to make the application look genuine by modifying the packet files in an IP address. This helps the hackers to extract user’s information when the user tries to access the required website in turn re-directing the user to a malicious URL.

ARP Spoofing: This is a type of attack through which the hacker sends fake Address Resolution Protocol (ARP) messages through a local network, This is done when the hacker links the malicious MAC address with IP address of the user’s server and computer on the network. Once connected, the hacker automatically starts receiving data that goes in and out of the specific IP address. ARP spoofing entitles the hackers to even alter or intercept data-in-transit. ARP spoofing attacks are most common in local area networks that implement Address Resolution Protocol.

DNS Spoofing: This is also referred to as DNS cache poisoning that introduces corrupt Domain Name System data into DNS server to modify the record of a website’s address. This diverts the users to the attacker’s site.

Decryption:

Once the interception is achieved, the SSL traffic has to be decrypted without the user’s attention and also without interfering the normal operations of the application. This phase is called decryption and there are a number of procedures that the hackers have developed to get this done:

HTTPS Spoofing – This helps hackers to send fake certificates to the user’s browsers, once the connection is made. It holds a signature in correspondence to the infected application and it surpasses the validation done by the browser by verifying with the standards of trusted sites. Through this way, the hacker gets access to the user’s data even before it reaches the application.

It’s not currently possible to duplicate an HTTPS website.

However, security researchers have demonstrated a theoretical method for bypassing HTTPS. The hacker creates a web address that looks like an authentic address.

Instead of regular characters, it uses letters from foreign alphabets. This appears as spam emails which you may have seen with strange characters. For instance, Cisco might be spelled Ciscó.

SSL Hijacking – Hackers copy fake authentication keys to user and application during the process of TCP handshake to take control of the complete session while the user assumes it to be a secure connection.

SSL BEAST - Hackers target the TLS version 1.0 vulnerability. The hacker infects the system through malicious JavaScript to block encrypted cookies that are sent from the application to the user.

SSL Stripping – converts an existing HTTPS connection to HTTP by interrupting the TLS authentication sent to the user from the application. An unencrypted version of the application’s website is sent to the user while a secure session is maintained with the application. In the meantime, the complete session of the user is visible to the attacker.

Tips to MIMA For Individual Users

*    Refrain from connecting to public Wi-Fi hotspots that are not password protected

* When the user is connected to a public network, it is advisable not to perform any sensitive financial transactions.

* Pay close attention to any alerts or warning messages that the website is insecure.

* It is advisable to log out of any application when not in use.