What Is a Man-in-the-Middle Attack and How Can You Stay Safe?

Man-in-the-middle (MitM) attacks intercept your web communications, allowing hackers to steal your login credentials and financial data. But MitM attacks are preventable with the right tools and online safety practices.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

A man-in-the-middle (MitM) attack is a particularly tricky form of hacking. It involves a bad actor sneaking into an online interaction between two parties considered private or secure.

Afterward, the hacker can access sensitive data like your bank account credentials, credit card numbers, or a work email login. It doesn’t stop there — with the access gained, cybercriminals can install ransomware and other forms of malware.

MitM attacks can be accomplished through eavesdropping, spoofing, hijacking, and browser cookie theft. In any case, the hacker gets a peek at sensitive information you don’t want to share. While this type of hacking can seem scary because you don’t know where it’s coming from, there are ways to keep yourself safe online.

We'll identify the types of MitM attacks and cover how an encrypted connection can help thwart hackers.

5.0
VPN
NordVPN
  • #1 rated VPN with over 7,000 ultra-secure, high-speed servers in 118 countries
  • Reliably unblock popular streaming services like Netflix with a single click
  • Excellent all-in-one security product with antivirus, ad blocker, password manager, and more
Learn More

In this article
What is a man-in-the-middle attack?
6 ways protect yourself from a MitM attack
Examples of MitM attacks
FAQs
Bottom line

What is a man-in-the-middle attack?

Also described as monster-in-the-middle, person-in-the-middle, or adversary-in-the-middle, a MitM attack requires a hacker to intervene between two trusted parties. This cybercrime is accomplished through hijacking, eavesdropping, poisoning, or spoofing. The end goal is a form of identity theft. 

But what does "two trusted parties" mean? Basically, when someone tries to access a website, for example, the hacker can get in the middle of you and the connecting website, positioned to steal login credentials or other sensitive data.

Email hijacking

This method is mainly used to target banking and financial information. Cybercriminals send out a convincing-looking fake email to steal your information. Once the hacker gains your credentials, they can monitor all transactions. They may also send out instructions on logging into your account or transferring money that looks like it came from a secure financial institution. 

Sending your credentials through these emails or filling out the information in the links can lead to further access for the hacker.

Wi-Fi eavesdropping

This type of attack happens more frequently in public. An attacker sets up a fake free public Wi-Fi network, and once you connect, this allows them to intercept data from your devices. However, these Wi-Fi connections can look normal, just like the valid ones. Your personal Wi-Fi at home can also be subject to eavesdropping. 

That's why using a virtual private network to encrypt your internet traffic is recommended whenever you connect to public Wi-Fi or access any sites that require your personally identifiable information (like your SSN). 

Session hijacking

Session hijacking includes cookie theft or phishing scam emails. Whether you log into public Wi-Fi and the hacker can grab your cookie session data or you click a phishing link in an email, they now have access to whatever you do after they connect to you. It’s like leaving your front door open and someone walking through your house touching your things.

Cache poisoning

Cache poisoning is another name for domain name system (DNS) spoofing. To navigate to a website, an internet user types a domain name (like typing in the address for https://allaboutcookies.org), which the DNS translates into a numeric language (the IP address) that the computer can understand. Cache poisoning happens when a hijacker intercepts this translation and redirects your request, usually to a phony site.

It's a good practice to routinely delete cookies, clear cache, and remove your browser history. You can usually take care of all three housekeeping tasks simultaneously. Here's how to manage cookies on any browser.

Internet protocol (IP) spoofing

An IP address is unique to each device. It acts as an address so that digital information knows where to go. (Back to the device you’re using to access the internet, for instance.) Spoofing an IP address creates a fake address, allowing the hacker to hide their identity or reroute information to a new place. IP spoofing means they can either pretend to be a site you trust or hide themselves so they aren’t recognized as a threat by a site.

HTTP spoofing

Hypertext transfer protocol (HTTP) transmits information across the internet. HTTP spoofing is when a hijacker makes a fake website with a URL that includes characters that look similar to the original intended site.

This could be using the number zero instead of the letter O or slightly switching words like ABCBank.com to ABCBanking.com. The cybercriminal can then steal all the information entered during your browsing session. On the other hand, an HTTPS connection is a secure, encrypted version of HTTP and lets you know the site you’re visiting is safe.

Secure sockets layer (SSL) hijacking

SSL hijacking is another name for browser cookie theft or cookie hijacking. It mostly affects websites or web applications. When you visit a new site for the first time, your browser verifies the site’s SSL certificate (the cookie) and creates an encrypted connection. When the SSL certificate is hijacked, it presents a fake certificate that looks safe. This allows hackers to steal the data you’re entering into the site.

6 ways to protect yourself from a MitM attack

Figuring out the best practices for staying safe online can be overwhelming. Many sites use highly technical terms or don’t fully explain the process behind why something happens the way it does.

Education is your best level of defense against hackers and scammers, and learning about MitM attack methods helps you become a more diligent user.

Below are some best practices for protecting yourself from a MitM attack.

1. Use a VPN

A virtual private network (VPN) can encrypt your internet traffic so an attacker can’t see your transmitting data, but VPNs can do much more, like:

  • Hide your location (AKA your real IP address) from hackers looking in specific areas
  • Secure your internet connection by using military-grade protocols to encrypt your data
  • Disguise your location by assigning you a different IP address
  • Reroute your internet traffic through a secure server
  • Bypass regional restrictions so you can access out-of-market content

Starting price Starts at $3.39/mo (billed every two years) Starts at $2.19/mo (billed every two years) Starts at $2.03/mo (billed every two years)
Number of devices 10 Unlimited 7
Server count 7,200+ servers in 118 countries 3,200+ servers in 100 countries Unlisted in 100 countries
Streaming support
Torrenting support
Learn more See NordVPN Pricing See Surfshark Pricing See CyberGhost Pricing

2. Secure your personal Wi-Fi network

Although many MitM attacks happen on public Wi-Fi, shoddy home Wi-Fi security could leave you vulnerable. Use a strong Wi-Fi password and change it regularly. Timing your Wi-Fi password change with changing the batteries in your smoke detector seasonally is a good practice. And change the password on your router. 

If you have the ability to bring a personal Wi-Fi network with you as a hotspot, that can help you avoid public Wi-Fi.

4. Avoid social engineering attacks

Social engineering attacks are designed to coerce you into sharing personal information through fear, charm, the promise of money, or other psychological tricks.

Always question the source before offering up personal info like Social Security numbers or bank information. Furthermore, if you can turn on multi-factor authentication, do it every time. It’s an added layer of security.

5. Watch out for phishing scams

Phishing scams are one of the most common kinds of social engineering attacks. They’re based on the idea that your world is so fast-paced that you don’t have time to investigate the sender of the email, text, or call.

Always check the email address, time of day sent, number calling or texting, and don’t open attachments or click on links that might come from an unknown source.

6. Only use secure websites

Earlier, we mentioned how HTTPS is secure while HTTP isn’t. The S stands for secure. This means that the site has been checked and is safe to visit. You can see this at a glance by looking in the address bar in your web browser and seeing a lock symbol next to the web address.

Examples of MitM attacks

It’s easy to dismiss these kinds of internet attacks as being theoretical. We’ve rounded up some examples from the past as well as more recent attacks to show you these techniques are being used in “the wild” every day.

While this isn’t an exhaustive list, with improved cybersecurity transparency, we can learn more about how attacks happen and how they could have been avoided. These four examples will show you some of those ways.

Juniper Junos OS

The attack on Juniper Junos OS happened from an improper certificate validation in the signature.

A signature is common in a lot of software applications so the company can push through a batch of updates and the signature can be verified rather than verify every single portion of the update. It’s supposed to be secure, but in this case, there was a vulnerability and the signature was compromised, which allowed anything with the compromised signature through protective software.

Uber social engineering hack

The ride-share company was hacked using a phishing scam. The hacker was able to trick an employee into disclosing their Slack login credentials.

From there, the hacker gained access to the company network and was able to view every single piece of information in Uber’s systems. They sent screenshots of delicate information to the company to prove they were inside. The company contacted law enforcement and launched a full-scale investigation.

While it takes a long time to investigate cyber attacks, Uber has determined the level of compromise and what information the alleged 18-year-old hacker was able to view.

Lenovo adware

“Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs,” says the Cybersecurity and Infrastructure Security Agency’s (CISA) alert page.

The company created a fake certificate to intercept, decrypt, and then re-encrypt user internet data in an effort to gain information for targeted ads. This attack was particularly egregious because it was a trusted company doing the spying.

Equifax breach

In 2019, Equifax reported they’d discovered a breach in their security systems going back to 2017. A weakness in an open-source certificate allowed an HTTP spoof to occur, allowing the hackers in.

While the entire incident was a debacle, what made it even worse was the suspicious-looking website they set up for information and resources for victims. Equifaxsecurity2017.com was visually so similar to a phishing scam that it left many people wary of using it. Adding insult to injury, Equifax’s social channels mistakenly directed people to Securityequifax2017.com making the confusion even worse. Needless to say, it was a complete mess.

FAQs

How do you know if you’re in a MitM attack?

Identifying a MitM attack doesn’t have to be tricky. Start by looking up at the address bar. If the website isn't secure or you were able to access the website without accepting any certificates, then you should not proceed. Secure web pages will have HTTPS and a padlock icon. Additionally, if there’s any intervention between typing in an address or clicking a link and getting to the actual site, it’s best to leave the website. An intervention can look like a pop-up asking you to accept something or a warning saying your connection is not private.

Does a VPN prevent MitM attacks?

While nothing is a 100% guarantee, a virtual private network is your best shot against these types of attacks because it encrypts your internet traffic and web activities. VPNs can also mask your real IP address and offer military-grade protocols to keep your privacy secure. 

Can a MitM attack steal passwords?

Absolutely! The theft of personal and sensitive information is the goal of a MitM attack. Getting your credentials goes a long way in helping the attacker gain access to otherwise secure systems. We recommended using a third-party password manager in addition to a secure virtual private network, especially for internet users who frequently connect to insecure public Wi-Fi. While browsers with built-in password managers may be convenient, dedicated password managers offer military-grade encryption and other advanced security features.

Bottom line

A MitM attack is when a hacker gets into your secure and encrypted interactions online and can redirect or steal your information. Most of the time, these types of attacks require you to fall for tricks like visiting a suspicious-looking site or opening an attachment in your email to create an access point.

Anyone is susceptible to these kinds of hacks, so never think you’re “not important” enough to be a target. Some of the most successful breaches started as a MitM attack on someone in an organization.

It sounds scary because MitM attacks are done so secretly and in ways difficult to detect. The language surrounding it can look confusing, especially if you aren’t a “tech person.” As we’ve covered, however, there are steps you can take to protect yourself from becoming a victim.

  1. Use a VPN, especially when accessing public Wi-Fi networks. (We've tested 50+ VPNs and recommend NordVPN as the best overall.)
  2. Double-check email addresses and the origin of a phone number or email, look for the lock symbol beside a web address, and don’t open unrecognized attachments.
  3. Don’t accept prompts to bypass security features. If you can’t access a site, it’s probably not safe. Find another source.
  4. When in doubt, end the session. If you aren’t sure you have a secure connection, sever the internet connection to the device and go about your day.

Learning about online safety and basic internet hygiene practices can be the difference between becoming a victim and staying secure. If you practice common sense and due diligence, you’ll likely stay out of the way of the bad guys.

Customizable Coverage That is Simple to Use
5.0
Editorial Rating
Learn More
On NordVPN's website
VPN
NordVPN
Up to 72% Off + Up to 1 Year Free
  • #1 rated VPN with over 7,000 ultra-secure, high-speed servers in 118 countries
  • Reliably unblock popular streaming services like Netflix with a single click
  • Excellent all-in-one security product with antivirus, ad blocker, password manager, and more

Author Details
Mary is a seasoned cybersecurity writer with over seven years of experience. With a B.S. in Liberal Arts from Clarion University and an M.F.A. in Creative Writing from Point Park University, she educates audiences on scams, antivirus software, and more. Her passion lies in educating audiences on helpful ways to protect their data.