What Is a Man-in-the-Middle Attack? Full Guide 2024

Ana Jovanovic
Updated on: May 31, 2024 Editor

A man-in-the-middle (MITM) attack is a type of cyberattack where a third party secretly places themselves in the middle of a data transfer or conversation between two parties.

For example, MITM attacks often target banking websites — you think you’re securely interacting with your bank, but a hacker is actually logging all of your interactions.

After placing themselves “in the middle”, hackers can steal personal information or modify and manipulate communications between two parties.

Due to advances in encryption technology and network security, MITM attacks have become pretty rare. But when they do occur, they can result in identity theft, malware infestation, and financial losses.

However, you can protect yourself against the network exploits, spoofing, and encryption-breaking techniques used in MITM attacks — you just need the right tools.

Editors' Note: ExpressVPN and this site are in the same ownership group.

What Is a Man-in-the-Middle Attack & How Does It Work?

MITM attacks occur when a hacker is able to deceive both a user’s device and the server that the user is trying to access — both systems are unaware there’s an unseen observer recording, decrypting, and potentially even altering the data moving between the two parties.

There are a lot of different kinds of MITM attacks, but most of them follow a two-step formula:

1. Interception — The user’s traffic is intercepted before it reaches the intended destination.
2. Decryption — After a successful interception, the attackers decrypt all traffic without alerting the users at either end of the attack.

But gaining this level of access requires significant knowledge about decryption, network exploits, software vulnerabilities, and internet protocols.

Before a hacker can “get in the middle”, that hacker has to intercept a user’s web traffic. This is often done by exploiting an unsecured Wi-Fi network or by spoofing a trusted Wi-Fi network. Hackers can also deceive users by installing malware on their device, which redirects browsing traffic to fake websites and spoofed networks.

Either way, once a hacker has intercepted the user’s web traffic (without alerting that user’s device or the server they’re accessing), the “man-in-the-middle” has several options. They can either allow the user to continue accessing the internet with no interruption (thus spying on their usage and stealing their data), or they can begin to interfere with the communications between a user and the internet — for example, a hacker could tell your bank to wire your funds directly to another account, and your bank would think you were the one making this request).

Types of Man-in-the-Middle Attacks

Generally, every man-in-the-middle attack falls into one of two broad categories:

1. Active Session Attack — The attacker diverts user traffic to a new server before reconnecting the user to its intended destination (for example, you think you’re on your bank’s website but you’re actually looking at a spoofed website on a hacker’s server).
2. Passive Session Attack — The attacker keeps monitoring the data flow over a network without interrupting the communication (for example, you connect with your bank’s website but the hacker is monitoring all of your outgoing and incoming data).

The techniques used for MITM attacks are pretty advanced, but here are the main techniques used by hackers to get between users and the services they’re trying to access:

• Wi-Fi Eavesdropping — Hackers can set up fake public Wi-Fi networks, frequently in busy urban areas with lots of “normal” public Wi-Fi networks. These fake networks are completely unsecured, routing user data through the hacker’s servers to monitor and intercept user traffic.
• Spoofing — Hackers can imitate a secure IP address, DNS server, or HTTPS connection with a variety of techniques. These could be as advanced as issuing fake root certificates to deceive the user’s device or as simple as sending a phishing link to a fake website. The end result is that a hacker intercepts the user’s connection and creates an MITM situation.
• SSL Stripping — Hackers can intercept encrypted traffic coming from a server, decrypting the data and forcing users to connect to the server through an unencrypted HTTP connection, which leaves them wide open to an MITM attack. The term “stripping” refers to the hacking tools used to “strip away” the secure TLS or SSL connection from the user.
• Email Hijacking — Similar to spoofing, this process involves compromising an email server by creating lookalike email accounts (for example, adding an “s” or “-” to the email address to trick the receiver into thinking it’s a legitimate email address). The man-in-the-middle then intercepts the emails coming through the server, changes the content, and sends the altered data from the lookalike email address.

How Worried Should I Be About Man-in-the-Middle Attacks?

If you haven’t downloaded any unknown programs onto your system or you are only visiting secure, well-known websites, then you probably don’t have to worry that much about a man-in-the-middle attack.

Modern day web encryption tools are able to significantly reduce the risk of MITM attacks. TLS (transport layer security) and SSL (secure sockets layer) are the two predominant encryption protocols used to certify that authentic communication is happening between a user and their intended host.

If you are visiting a secured website that uses HTTPS, that means the site is communicating with your device using TLS or SSL encryption. TLS and SSL both encrypt your data before it leaves your device, so that only the server you’re trying to communicate with can decrypt your data.

The “keys” to decrypting HTTPS traffic are exchanged between your device and the host whenever you access a site through a process known as a “secure handshake”. During the handshake, the host shares a digital certificate with your device that certifies the encryption keys provided are genuine. This prevents a man-in-the-middle from intercepting the handshake and providing a false set of security keys.

There are 5 companies (known as certificate authorities) that issue around 98% of the digital certificates in the world, and there have only been a few high-profile instances of certificate authorities issuing false certificates.

What Are the Dangers of Man-in-the-Middle Attacks?

In general, MITM attacks are performed for financial gain, espionage, mischief, or for the sake of demonstrating a hacker’s abilities. The damage caused may range from small to massive, depending on the attacker’s goal and the types of communication that are manipulated.

MITM attacks are usually used for:

• Identity theft.
• Surveillance.
• Financial exploitation.
• Malware infection.
• Business sabotage.
• Network exploitation.

Due to the increased security and availability of HTTPS servers online, MITM hackers in 2024 generally need to rely on fake certificates to carry out their attacks. These fake certificate attacks are extremely rare, but they can be very harmful.

How to Protect Yourself From Man-in-the-Middle Attacks

Even though MITM attacks are not as common as they used to be, there are some necessary steps that you can take to protect yourself.

Install an Antivirus

Good antivirus software can provide a variety of useful tools for preventing MITM attacks, as well as preventing further damage once an MITM attack has been initiated. In addition to removing the malware that can be used to set up an MITM attack, many antiviruses provide network monitors, secure browsers, web shields, firewalls, dark web monitoring, and identity theft protections. Norton 360 is my favorite antivirus software for overall internet security.

Install Software Updates

Whether there’s an update for your browser, your device’s firmware, your OS, or your apps, software updates often contain patches to fix harmful security vulnerabilities. Hackers are able to deploy botnets that can crawl the internet for users using out-of-date software and target those users with network-based attacks, including MITM attacks. I recommend you enable auto-update settings whenever possible.

Avoid Unprotected Wi-Fi Connections

Most routers use security systems like WPA2 — plus anti-malware programs such as Norton come equipped with network monitors that offer both real-time assessments and ongoing monitoring to ensure you connect solely to safe Wi-Fi networks.

Browse Responsibly

When accessing websites, always try to access HTTPS instead of HTTP sites (you can tell if you’re accessing a secure site because of the “closed lock” icon in the left side of the address bar on most browsers). Recent innovations in server and encryption technology have enabled the majority of sites online to provide secure encrypted connections, and there are even add-ons and extensions for Chrome and Firefox that will automatically redirect your traffic from HTTP to HTTPS addresses whenever possible.

Examples of Man-in-the-Middle Attacks

It’s because of the sophisticated technology and high-level access needed for executing a MITM attack that they’re typically only carried out by governments and large corporations, although hackers have also executed several attacks over the last few years.

Here are some of the most famous MITM attacks of the 21st century:

• 2011 — A small certificate authority and a primary CA for the Dutch government, DigiNotar issued certificates for government websites and everyday internet users. In late 2011, it was discovered that fake DigiNotar certificates were issued for hundreds of websites, including Google, and used to spy on Iranian citizens. These certificates enabled a man-in-the-middle attack, intercepting and potentially altering interactions with the sites. The attack’s perpetrator remains unclear, though a user named “Comodohacker” claimed responsibility. As a result, all major browsers stopped accepting DigiNotar certificates, leading to the company’s shutdown within months.
• 2013 — Edward Snowden leaked documents revealing how the USA’s National Security Agency (NSA) used MITM attacks to intercept website traffic and inject malware into certain Tor and Firefox users’ systems.
• 2014 — Lenovo shipped PCs with the Superfish adware installed, which issued less-than-secure SSL certificates to allow pop-up ads on user desktops. Superfish is considered to be an extreme security vulnerability, and Lenovo PCs were quickly patched and recalled.
• 2015 — A British couple lost £340,000 when their property sale payment was diverted by a man-in-the-middle attack.
• 2017 — Equifax had to roll back its mobile app after researchers discovered that it sent data using HTTP instead of the encrypted HTTPS protocol that blocks most MITM attacks.
• 2019 — Hackers stole a $1 million payment between a Chinese venture capital firm and an Israeli startup by intercepting and altering their email communications in an extensive MITM attack.
• 2023 — Researchers at the French research center Eurecom discovered several new MITM attack methods, which they collectively named BLUFFS (Bluetooth Forward and Future Secrecy). They exploit vulnerabilities in the Bluetooth protocol affecting versions 4.2 to 5.4. These attacks can compromise Bluetooth session encryption, allowing hackers to impersonate devices and decrypt past and future communications between Bluetooth devices, posing significant security risks.​

Frequently Asked Questions

What is a man-in-the-middle attack?

A man-in-the-middle (MITM) attack happens when a third-party positions itself between two parties without their knowledge, intercepting and potentially even modifying internet traffic.

The hacked users think that they are exchanging information directly with their intended recipient because the “man-in-the-middle” is able to mimic (or “spoof”) websites, DNS servers, Wi-Fi networks, IoT (Internet of Things) devices, email addresses, and/or routers.

Cybercriminals can use MITM attacks to steal user credentials or personal information, spy on the victim, sabotage communications, and corrupt data.

How does a man-in-the-middle attack work?

To perform a successful man-in-the-middle attack, a hacker first needs to intercept a user’s web traffic. This can be done in a number of ways, including exploiting an unsecured Wi-Fi network or installing malware on the user’s device.

Once the hacker has placed themselves between two communicating parties, they can either eavesdrop on the communication or alter the communication. In either case, the hacker needs to decrypt the communication between the parties without the parties becoming aware that someone is in the middle of their communication.

How to prevent man-in-the-middle attacks?

While there’s no foolproof way to prevent man-in-the-middle attacks, the best ways to keep yourself as safe as possible online include downloading an antivirus program like Norton or Bitdefender, connecting only to safe Wi-Fi networks, visiting only HTTPS sites, and installing updates as soon as they’re available.

What are some famous man-in-the-middle attacks?

One of the most famous MITM attacks of the 21st century happened in 2011, when certificate authority DigiNotar was hacked. The hacker responsible for the attack issued fake certificates for popular sites like Google and intercepted and monitored Iranian users’ web traffic. Every major ISP and search engine revoked their DigiNotar certificates, and the company went bankrupt.