Check out this guide about everything you need to know about the Man-in-The-Middle attacks.

A detailed guide to Man-in-The-Middle attacks

You might have heard the term ‘Man-in-The-Middle attack’ before, in relation to news reports about cyber crime or perhaps in updates and alerts from whatever antivirus you use. You could be forgiven for thinking that this name referred to just one kind of attack, but in actual fact, MiTM cyber crime covers a range of threats. From “evil twin” WiFi networks to email interceptions, tracking cookie spoofs and a range of other malicious activities, there are a variety of ways in which someone could get between you and your internet activities uninvited and without your knowledge. The end results are just as varied, but identity and monetary theft are common aims.

If you’d like to know more about how exactly a so-called “man in the middle” might intercept and tamper with your online activities, here are some methods to be aware of.


MiTB or MiB attacks are particularly prevalent on online shopping sites, banking sites and pretty much any place else you might be entering your payment card details.

A Man-in-The-Browser is facilitated by the installation of trojan malware on your device, which is one of many reasons why it’s important to keep your antivirus software up to date. A trojan could arrive as the result of clicking a fraudulent download in a phishing email, installing a malicious app or even something as seemingly innocuous as a free music or movie download online.

Once it’s worked its way in, the trojan can manipulate communications between your browser, other websites and security mechanisms like HTTPS. During online banking, that can mean that while nothing looks amiss to you, a third party is viewing your account details as they’re entered and can manipulate payment instructions in order to transfer money to their accounts.

While it’s often said that an HTTPS URL is a guarantee of security over HTTP, indicated by a padlock in your URL bar, “men in the middle” can use an SSL strip to remove the encryption that should be in place. Though your connection may still look to you as though it’s locked down, a third party can manipulate security protocols in order to lift that encryption, intercept data and alter it.

Email Hijacks

Intercepting and altering data are the name of the game in MiTM attacks, so it may come as no surprise that email hijacks are a classic example. If you’ve ever read a news story about someone losing the deposit for their home, or even the total value of it, through an email conveyancing scam, you’ve read about the victims of an MiTM attack.

Email hijacks aren’t about someone hacking individual email accounts one by one and reading through emails hoping to find something valuable. Hackers can now mass-scan unsecured email accounts, and all they need to do is bulk search for particular terms in order to bring up things like mortgage payments, savings transfers and any number of other monetary exchanges facilitated through email.

In the case of conveyancing fraud, cyber criminals simply intercept emails between home buyers/sellers and their estate agent, altering the bank details given for payment and allowing an amended email to arrive as planned. To the recipient, it appears the email is from a trusted person at a legitimate email address – and there’s no way of telling that the payment details have been changed.

Email hijacks can happen to just about anyone, so always call to verify payment details before sending any sum of money online. If in doubt, transfer only $1 or £1 first to check that your money is going where it’s supposed to, before transferring anything else.

Spoof Networks

Spoof networks and ‘evil twin’ attacks are both a type of WiFi Man-in-The-Middle, also known as WiFi eavesdropping. These attacks either offer realistic-sounding public WiFi networks – think “Free Airport WiFi” or “Guest Network” – or they completely duplicate a network you’ve used in the past. In either instance, once you log on you’re actually connected to a network owned by hackers, rather than a legitimate company.

From passwords and payment data to full login details and sensitive information, if you’re browsing the internet through a spoof network then everything you’re doing is exposed. The simplest way to protect yourself against this type of MiTM, along with MiTB attacks, is to use a virtual private network (VPN) when doing anything online that involves personal data and cash transactions.

A VPN adds a layer of end-to-end encryption to data being transferred, so whether you’re on a site where the HTTPS has been stripped to HTTP or your entire network is insecure and visible, you can wrap up your data in a private ‘tunnel’ of encryption that makes it impossible for hackers to use.

Cookie Hijacks

Cookie hijacking sounds like a thing any of us might do at home, but when it comes to the internet, this type of activity is one to avoid. By tracking your device’s IP address, a wide range of data on your interests and online behaviours can be matched to you using browser cookies – ordinarily, this is to save time loading websites and to allow advertisers to tailor their adverts to you. Things like autofilling of address and phone number details are the result of browser cookies, along with eerily-specific adverts for things you once browsed on another site.

While auto-filling personal details and login details can be useful, the problem is that when a hacker manages to hijack the cookies storing that information, they have access to a much wider range of information. Everything from your usernames and passwords to your home address, phone number and card number can be stored in cookies that are all traceable back to your IP address – meaning a hacker can see that these details are all connected. From there, they can impersonate you online, log into your accounts and do all manner of troublesome things based around identity theft.

VPNs come in handy here once more, for two reasons. The first is that the added encryption they offer can stop hackers from being able to decipher the information attached to any cookies they’re trying to steal. The second is that they allow you to spoof your IP address – that is, to hide your real IP address and replace it with a new one belonging to the VPN service, so that any cookies left online can’t be easily connected up.

By regularly clearing cookies and logging in through a variety of IPs associated with your secure VPN, you can protect yourself against digital cookie theft.

Protecting Against Decryption

MiTM attackers access your data through interception and decryption. Just like you can spoof your IP address to make it look like you’re elsewhere and to stop people tracking you online, hackers can mimic the IP addresses and DNS details of trusted sources, such as bank websites or personal emails belonging to people you know.

Once your web traffic has been intercepted, tactics like SSL stripping and HTTPS spoofing allow attackers to downgrade website security without your knowledge and thus, expose your details. By removing secure encryption provided by the sites you visit, they can read personal data in plain text. To put it simply, this is why it’s important to have your own encryption in place whenever you’re exchanging personal and payment information online, rather than relying on the sites you visit.

Adding a virtual private network to your cyber security set-up is just as important as antivirus when it comes to defence against hackers, along with using plenty of common sense.

Tabby Farrar is a researcher and copywriter whose professional work covers topics like corporate cyber security and consumer technology.