What is a Man-in-the-Middle Attack and How to Prevent?

A man-in-the-middle attack is a classic form of cyber-crime which is still popular to this day. It is also considered one of the most dangerous ones out there. This form of digital eavesdropping is common in public WiFi networks. Additionally, hackers can target specific individuals or companies to exploit weaknesses in their network.

Let’s take a closer look at this opportunistic method of hacking.

What is a Man-in-the-Middle Attack?

Man-in-the-middle attacks happen at different levels and forms. However, its basic concept requires three key players: the victim, the entity which victim is trying to contact, and the “man in the middle.”

The victim can be any user trying to access a website or a web application (the entity). On any typical connection, the user can directly connect to the website server and visit the site. The “man in the middle” inserts itself between the connection of the user and the website server.

man-in-the-middle attack

It will try to mimic the website and pretend that normal communication is happening with the user. However, the “man in the middle” snoops in the conversation and gathers important information. The hacker will collect personal information such as login details, credit card numbers, and others.

That is why cyber-criminals often target financial institutions, e-commerce websites, businesses, and other sites where sensitive information are exchanged between the user and the server especially login information..

Stages of Man-in-the-Middle Attacks

Man-in-the-middle attacks happen in two simple stages. Cybercriminals ensure that both the user and the entity it is trying to connect to will not have any clue that a third-party is trying to “eavesdrop” in their communication.


The first step is to intercept your internet traffic before it reaches its intended destination. There are a couple of techniques to achieve this.

  • IP spoofing – Hackers manipulates network packets to spoof the IP address of the user and the server. It tricks both the user and the site server that they are talking with one another. Essentially, both are sending their network packets to the “man in the middle” instead of directly communicating with each other.
  • DNS spoofing – The Domain Name System (DNS) is an integral part of the Internet that translates IP addresses such as to human-readable URL like www.google.com. Hackers intercept DNS requests from the user and return the address that will lead to its own server instead of the real address. Typically, it will direct the user to a fake website that looks exactly like the actual website.
  • ARP spoofingAddress Resolution Protocol (ARP) is used to resolve IP address to physical Media Access Control (MAC) addresses which identify devices in a local area network. Hackers will respond to requests with its own MAC address using strategically placed packets. This will direct the communication of the user to the hacker’s server where it can sniff personal information.


After intercepting the user’s connection to the entity which is typically a website server, hackers will need to decrypt the data to extract the information that they want.

  • HTTPS spoofing – HTTPS typically indicates that the user device can trust the source server (the entity) and the communication is encrypted. Cybercriminals will install spoofed root security certificates so that the user’s browser thinks it is a secure server to access. The browser will send the encryption key to the spoofed server which they can use to decryption the data being sent out by the user.
  • SSL hijacking – Before a user connects to a secured HTTPS version of the website, they connect to an unsecured HTTP server which redirects to the HTTPS server. Hackers will reroute all the user’s traffic to their server after connecting to the HTTP server. This is where the hackers collect all personal information of the user by having the connection go through their server first before getting to the HTTPS server.
  • SSL strippingA cybercriminal will downgrade a website from a secured version (HTTPS) to non-secured (HTTPS). They will get between the user and the HTTPS server through their proxy server or ARP spoofing. By serving the user with HTTP, all the personal data including passwords, financial information, etc., are in a plain, unencrypted text which they can see.

Types of Man-in-the-Middle Attacks

Man-in-the-middle attacks happen in different parts of the Internet. Hackers use this simple concept to target a large number of potential victims or focus on specific prey.

Here are a couple of man-in-the-middle attacks that you should know.

WiFi Man-in-the-Middle Attacks

WiFi man-in-the-middle attacks often happen in public networks. Rogue networks are set up by hackers to entice unknowing users to connect to their servers. They will usually have names like “Starbucks WiFi” or “Free WiFi.”

Evil twin attacks happen when hackers mimic trusted public WiFi connections in the area. It will trick you into thinking that it is the same network that you have used in the past.

Using these methods, your connection will now go through the hackers’ server where they can steal information like login credentials and payment details.

Email Hijacking

Hackers will intercept unsecured emails from a large number of users. They will look for keywords that will point them to emails that contain valuable information. This is how hackers were able to steal £333,000 (about $500,000) from Paul and Ann Lupton.

Cybercriminals were able to read the Luptons emails with their lawyers during the sale of their apartment. The hackers emailed the lawyer through the Lupton’s email account and gave their bank details. Unknowingly, the lawyer was depositing the money from the property sale to the criminals’ account.

Session Hijacking

Hackers will intercept session cookies when you go online using malware. These cookies contain valuable information such as login credentials, full name, and even your physical address. Once hackers obtain that information, they can use it to log in to your bank accounts or even steal your identity to commit fraud.

Man-in-the-Browser Attack

A malware, usually a Trojan, infects your computer that allows criminals to get between your transactions online. They will be able to intercept your emails, online payments, and banking. You may be redirected to websites that look exactly like your bank’s website. When you enter your information, the hackers can use your login credentials to log in to your financial account and steal your money.

Examples of Man-in-the-Middle Attack

Man-in-the-middle attacks are still widespread to this day. In 2013, authorities discovered that criminals were targeting customers of Absa, one of the largest banks in South Africa. Europol arrested 49 suspects across Europe for multiple man-in-the-middle attacks on banks and other financial institutions.

Even public and government institutions are known to use man-in-the-middle attacks on its people. In 2013, Edward Snowden revealed that the US National Security Agency posed as Google to spoof SSL certificates and intercept traffic. Comcast was found to inject Javascript into its traffic to prioritize its advertisements over other companies.

Can it Happen on Android?

Modern mobile phones are very similar to computers albeit in a smaller and more compact form. Due to its portability, it is one of the most popular devices around. Moreover, an increasing number of users conduct most of the online transactions using mobile phones. It is quite easy to forget that your devices store personal information as well.

In 2017, ZDNet reported that flaws in applications of significant banks such as HSBC, Co-op, Allied Irish, and NatWest exposed their users’ information to man-in-the-middle attacks. University of Birmingham’s Security and Privacy group discovered that attackers on the same network as the victims could steal login credentials, financial information, and more from the devices.

How to Prevent Man-in-the-Middle Attack

Protecting yourself from man-in-the-middle attacks will require vigilance in your online activities. Most victims are unaware that they are already under attack until it’s too late. To prevent severe damages, take note of the following tips.

Public WiFi Security

It is tempting to connect to WiFi connections in coffee shops, airports, parks, and other public areas. It is even more tempting to connect to free WiFi networks. However, note that connecting to these public networks can put you at risk. Do not allow your phones and computers to connect to hotspots automatically.

Moreover, it is best to conduct sensitive transactions like online banking and shopping at home where you know your WiFi connection protects you. If you have to, ensure that you have a VPN before connecting to public WiFi.

For more information on public WiFi security, check out our guide.

Strong Home Security

You may be able to trust your home WiFi, but it is still vulnerable to attacks. Ensure that you have a strong WiFi password that will encrypt your Internet connection. Ensure that you have a secure firewall as well.

You can prevent further man-in-the-browser attacks by securing your web browser. It is essential especially if you do most of your online banking and shopping at home. Moreover, ensure that your operating system is updated to fix any vulnerabilities in your system.

Be Aware of Common Methods of Attack

Signs of man-in-the-middle attacks are easy to see if you know where to look. Make sure that the URL of the website that you are visiting uses HTTPS. This is especially necessary if you are accessing banking websites. An online bank portal with an HTTP URL is a potential man-in-the-middle attack.

Keep an eye out for phishing attempts especially from banks and financial institutions. Hackers can develop emails that look legitimate. Be extra vigilant when emails and web pages ask you to enter personal information. It is better to login to the website manually than clicking the link in the email. If uncertain, contact the organization that manages the site and confirm the message.

Install Effective Anti-Malware Applications

Most man-in-the-middle attacks start with infecting your computer with malicious software. They lie unnoticed in your device until they can detect vulnerabilities that will allow the hackers to extract personal information.

Install advanced anti-malware software like MalwareFox. It provides protection from all kinds of malicious software like adware, spyware, trojans, and more. Additionally, you get a robust real-time protect that prevents hackers from ever touching your personal information. You also have next-level protection from ransomware.

malwarefox results

MalwareFox is also available in Android for complete protection for all of your devices.

Final Thoughts

Man-in-the-middle attacks are quite difficult to avoid. Staying vigilant gives you protection from more frequent attacks. Also, keeping your operating system and security applications like antivirus and anti-malware software.

If you suspect that you are a victim of man-in-the-middle attacks, do not panic. Report to the authorities and disconnect from any network for the meantime until you are sure that it is safe to go online.

Leave a Comment