Dillon E. Jent III (Dilley to his friends) wasn’t taking chances in paying his online electricity bill. Aware of the dangers of phishing, he refused to use links, but carefully entered the website URL manually before doing the transfer. And before entering the details of his bank account, he once again checked the URL. And yet, the site he thought he had accessed was, in fact, a popup within his browser, designed to spoof the utility’s. The latest victim in a browser-in-a-browser attack, Dilley Jent had fallen prey to just one of many types of Man-in-the-Middle (MITM) phishing attacks.
MITM attacks involve an attacker intercepting communication between two parties, typically with the goal of stealing sensitive information. The attacker inserts him/herself in between the victim and the victim’s target website with the intention of stealing personal credentials, an account or credit card numbers.
It may sound simple, but the MITM attack is quite complex—not unlike an elaborate long-con.
Understanding Man-in-the-Middle Phishing Scams
In the browser-in-a-browser attack, Dillon’s computer had already been infected, causing a popup to appear over the identical-looking page he was seeking to access. Since the legitimate page had in fact been accessed, the URL shown in the browser was legit. However, Dillon was not interacting with that page but the popup above it. Similar to Cyrano De Berjerac, a third party had inserted itself into the communications act without the others being aware.
The loss here was limited to several hundred dollars; not so in the million-dollar scam perpetrated against a Chinese venture capital firm and its client—an Israeli startup. Here, the scammers spoofed both sides of the transaction, going so far as to register two identical domains, and enabling them to intercept the Chinese wire transfer. Emails sent from one to the other were intercepted and carefully altered slightly before being allowed to complete their journey. The final modification was that of the Israeli company’s bank account number…
In a typical online communication, there are two parties involved: the sender and the recipient. A third entity is the medium through which the communication takes place. In a man-in-the-middle phishing scam, the attacker positions themselves between the sender and recipient, intercepting and often altering the messages exchanged. By doing so, they can gain unauthorized access to sensitive information or deceive users into disclosing confidential data.
Here’s a step-by-step breakdown of how a typical MITM phishing scam might occur:
Initial compromise: The attacker gains control over a user’s device or infiltrates an unsecured network to intercept communication.
Interception: The attacker positions themselves between the sender and the recipient, intercepting data packets as they flow back and forth.
Alteration: The attacker can modify the intercepted data packets, such as injecting malicious links or altering content to deceive the recipient.
Sensitive information extraction: The attacker may trick the recipient into divulging sensitive information, such as login credentials, credit card details, or personal identification information.
Technicalities of a MITM phishing attack
Let’s dive into the technical details of how a man-in-the-middle (MITM) phishing scam works:
Initial Compromise:
The attacker gains control over a user’s device through various means, such as malware, social engineering, or exploiting vulnerabilities in the operating system or applications.
Alternatively, the attacker can infiltrate an unsecured network that the victim is connected to, such as public Wi-Fi hotspots or compromised routers.
ARP Spoofing or DNS Spoofing:
The attacker uses ARP (Address Resolution Protocol) spoofing or DNS (Domain Name System) spoofing techniques to redirect the victim’s network traffic through their own machine.
In ARP spoofing, the attacker sends falsified ARP messages to associate their MAC address with the IP address of the victim’s gateway. As a result, all network traffic from the victim’s device is routed through the attacker’s machine.
In DNS spoofing, the attacker manipulates the victim’s DNS resolution process, directing them to a malicious IP address controlled by the attacker instead of the legitimate website’s IP address.
Intercepting and Altering Communication:
With the victim’s network traffic now flowing through the attacker’s machine, the attacker can intercept and inspect all the data packets exchanged between the victim and the legitimate server.
The attacker can use packet sniffing techniques to capture the data packets and analyze their contents.
At this stage, the attacker can selectively alter the intercepted packets, injecting malicious content or modifying the existing data to deceive the victim.
For example, the attacker may inject a fake login page into the communication, making it appear as if the victim is interacting with the legitimate website or service.
Stealing Sensitive Information:
Through the altered communication, the attacker can trick the victim into entering sensitive information, such as login credentials, credit card details, or personal information, into the fake login page or forms.
The victim, unaware of the manipulation, submits the information, which is then captured by the attacker.
In some cases, the attacker may also perform real-time attacks, intercepting and capturing authentication tokens or session cookies, which can allow them to gain unauthorized access to the victim’s accounts even after the session ends.
Forwarding Communication:
To maintain the illusion of a legitimate connection, the attacker forwards the intercepted packets to the legitimate server after inspecting and modifying them.
This ensures that the victim’s requests are serviced by the legitimate server and the responses are received, making it less likely for the victim to suspect any foul play.
By employing these techniques, attackers can carry out man-in-the-middle phishing scams and deceive unsuspecting users into divulging sensitive information, leading to potential identity theft, financial loss, or other malicious activities.
Consequences of Man-in-the-Middle Phishing Scams
The repercussions of falling victim to a man-in-the-middle phishing scam can be severe. They may include:
Identity theft: Stolen credentials can be used to impersonate victims, gaining unauthorized access to their accounts or perpetrating fraudulent activities in their name.
Financial loss: If credit card details or banking credentials are compromised, attackers can make unauthorized transactions, leading to financial losses.
Data breaches: Intercepted communication can contain valuable corporate information, trade secrets, or intellectual property, jeopardizing the security and reputation of businesses.
Protecting Yourself Against Man-in-the-Middle Phishing Scams
MITM attacks have been around for quite some time, but are developing alongside the tech scammers employ. The latest version is the ‘reverse proxy phishing kit’ that places a reverse proxy server before a targeted servers. In their legitimate iteration, they serve as a load balancer, a traffic manager to provide a smoother flow between clients and servers. Here, however, the scammer simply monitors the victim’s activities as he or she interacts with the legitimate site through the phishing site, harvesting and manipulating information (such as the beneficiary in a victim-initiated-&-verified bank transaction) while the victim happily provides the required passwords, MFA tokens and all else required to keep him/her ‘safe’.
Fortunately, there are several proactive steps you can take to minimize the risk of falling victim to man-in-the-middle phishing scams:
Utilize encryption: Make sure to use encrypted communication channels whenever possible. Look for the “https://” prefix in website URLs, which indicates a secure connection.
Be cautious with public Wi-Fi: Avoid using unsecured public Wi-Fi networks, as they can be prime targets for attackers to intercept your communication. If you have no choice, install a virtual private network (VPN) to encrypt your traffic.
Regularly update your devices and software: Keep your operating system, applications, and security software up to date. Updates often include patches for vulnerabilities that attackers could exploit.
Disable unmonitored popups. Enable instead popups manually.
Enable multi-factor authentication (MFA): Implement 2FA whenever available, as it adds an extra layer of security to your accounts. This way, even if your credentials are compromised, the attacker would need additional verification to access your account.
Verify website authenticity: Always double-check the URL of websites you visit, particularly when entering sensitive information. Phishers often create convincing replicas of legitimate websites to deceive unsuspecting users.
Exercise caution with email and messages: Be wary of unsolicited emails or messages asking for sensitive information. Verify the sender’s identity and avoid clicking on suspicious links or downloading attachments from unknown sources.
As cyber threats become increasingly sophisticated, it is crucial to remain vigilant and educated about potential risks.