In this article you will learn:

  • Learn what a MITM Attack is & How they work including real-life examples.
  • Find out how hackers use Man-in-the-middle attacks, to interject between you and financial institutions, corporate email communication, private internal messaging, and more.
  • Prevention tactics and best practices to implement immediately.
  • Discover how to identify a man in the middle attack before a data breach impacts your organization.

What is a Man in the Middle Attack? How Does it Work?

A Man-in-the-Middle (MITM) attack happens when a hacker inserts themselves between a user and a website. This kind of attack comes in several forms. For example, a fake banking website may be used to capture financial login information. The fake site is “in the middle” between the user and the actual bank website.

Attackers have many different reasons and methods for using a MITM attack. Typically, they’re trying to steal something, like credit card numbers or user login credentials. Sometimes they’re snooping on private conversations, which might include trade secrets or other valuable information.

One thing that almost all attacks have in common is the bad guy is pretending to be someone (or a website) you trust.

diagram of how a man in the middle attack works

Types of Man-in-the Middle Attacks

Wi-Fi Eavesdropping

If you’ve ever used a laptop in a coffee shop, you may have noticed a pop-up that says “This network is not secure.” Public wi-fi is usually provided “as-is,” with no guarantees over the quality of service.

However, unencrypted wi-fi connections are easy to eavesdrop. It’s much like having a conversation in a public restaurant – anyone can listen in. You can limit your exposure by setting your network to “public,” which disables Network Discovery. This prevents other users on the network from accessing your system.

Another Wi-Fi Eavesdropping attack happens when a hacker creates its own wi-fi hotspot, called an “Evil Twin.” They make the connection look just like the authentic one, down to the network ID and passwords. Users may accidentally (or automatically) connect to the “evil twin,” allowing the hacker to snoop on their activity.

Email Hijacking

In this type of cyber security attack, a hacker compromises a user’s email account. Often, the hacker silently waits, gathering information and eavesdropping on the email conversations. Hackers may have a search script that looks for specific keywords, like “bank” or “secret Democrat strategies.”

Email hijacking works well with social engineering. Hackers might use information from a hacked email account to impersonate an online friend. They may use also use spear-phishing to manipulate a user to install malicious software.

IP Spoofing Attacks

As mentioned before, all systems connected to a network have an IP address. Many corporate intranet networks give each system its own IP address. In IP spoofing, hackers mimic the IP address of an authorized device. To the network, the device looks like it’s approved.

This can allow an unauthorized user to infiltrate a network. They may stay silent, and record activity or they may launch a Denial of Service (DoS) attack. IP spoofing can also be used in a MITM attack by standing between two systems:

System A ====== Hacker ====== System B

System A and System B think they’re talking to each other, but the hacker is intercepting and talking to both.

According to IBM X-Force’s Threat Intelligence 2018 Index, 35% of exploitation activity involved attackers attempting MITM attacks. 

Attempts to conduct man in the middle attacks

Image source: IBM Threat Index

DNS Spoofing

The internet works by numeric IP addresses. For example, one of Google’s addresses is

Most websites use a server to translate that address to a catchy name:, for instance. The server that translates into “” is called a Domain Name Server, or DNS.

A hacker can create a fake DNS server. his is called “spoofing.” The fake server routes a real website name to a different IP address. The hacker can create a phony website at the new IP address that looks just like a genuine website. Once you visit the fake site, an attacker can gain access to your sensitive information and personal data.

HTTPS Spoofing

It’s not currently possible to duplicate an HTTPS website.

However, security researchers have demonstrated a theoretical method for bypassing HTTPS. The hacker creates a web address that looks like an authentic address.

Instead of regular characters, it uses letters from foreign alphabets. This appears as spam emails you may have seen with strange characters. For instance, Rolex might be spelled Rólex.

SSL Stripping

SSL stands for Secure Socket Layer. SSL is the encryption protocol used when you see https:// in front of a web address, not http://. With SSL Stripping the hacker intercepts and forwards traffic from a user:

User ====== Hacker ====== Encrypted website

The user tries to connect to the encrypted website. The hacker intercepts and connects to the encrypted site on behalf of the user. Often, the hacker creates a duplicate website to display to the user. The user thinks they are logged in to the regular website, but it’s actually what the hacker wants them to see. The hacker has “stripped” the SSL protocol out of the user’s network connection.

Session Hijacking

This type of Man-in-the attack is typically used to compromise social media accounts. With most social media sites, the website stores a “session browser cookie” on the user’s machine. This cookie is invalidated when the user logs off. But while the session is active, the cookie provides identity, access, and tracking information.

A Session Hijack occurs when an attacker steals a session cookie. This can happen if the user’s machine is infected with malware or browser hijackers. It can also happen when an attacker uses a cross-scripting XSS attack – where the attacker injects malicious code into a frequently-used website.

ARP Spoofing

ARP stands for Address Resolution Protocol.

A user sends out an ARP request, and a hacker sends a fake reply. In this case, the hacker is pretending to be a device like a router, which allows them to intercept traffic. This is typically limited to local area networks (LAN) which use the ARP protocol.


This is a type of attack that exploits vulnerabilities in web browsers.

Trojan horses, computer worms, Java exploits, SQL injection attacks, and browser add-ons can all be attack vectors. These are often used to capture financial information.

When the user logs in to their bank account, malware captures their credentials. In some cases, malware scripts can transfer funds, then modify the transaction receipt to hide the transaction.

Real Life Man-in-the-Middle Attack Example

In the graphic below, an attacker (MITM) inserted themselves in-between between the client and a server.

As the hacker now controls communication, they can intercept data that is transferred, or interject other data, files, or information.

an example of a man in the middle attack
Man in the middle hacking real-life example.

Man in the Middle Attack Prevention

Use a Virtual Private Network (VPN) to encrypt your web traffic. An encrypted VPN severely limits a hacker’s ability to read or modify web traffic.

Be prepared to prevent data loss; have a cyber security incident response plan.

Network Security

Secure your network with an intrusion detection system. Network administrators should be using good network hygiene to mitigate a man-in-the-middle attack.

Analyze traffic patterns to identify unusual behavior.

Your network should have strong firewalls and protocols to prevent unauthorized access.

Use third-party penetration testing tools, software, and HTTPS encryption to help detect and block spoofing attempts.

Install active virus and malware protection that includes a scanner that runs on your system at boot.

MITM attacks often rely on malware. Running updated anti-virus software is imperative.

Secure Your Communications

Encryption is the best defense to protect against intercepted communication.

The most effective method to stop email hijacking is to enable two-factor authentication. That means that, in addition to your password, you have to provide another vector of authentication. One example is Gmail’s combination of a password and a text to your smartphone.

Use basic internet security hygiene on all devices, including mobile applications.

Watch out for phishing emails as they are the most common attack vector. Carefully examine links before clicking.

Only install browser plug-ins from reputable sources.

Minimize the potential of attacks by signing out unused accounts to invalidate session cookies.

Force encryption by typing https at the beginning:

If you expect an encrypted connection but don’t have one, stop what you’re doing and run a security scan.

If you use Google Chrome, install a chrome security extension, like HTTPS Everywhere, which forces an SSL connection whenever possible.

You should see a green or gray padlock just to the left of the web address in your browser. If you ever see a red padlock, that means there is something wrong with the encryption — double check domain names and your browser before visiting an insecure site.

Disable “Punycode support” (for rendering characters from different languages) on your browser.

Add an enterprise password management solution; this will avoid auto-filling passwords on a nefarious site.

Remember, mobile security best practices. Mobile applications are often targeted.

Avoid using public wifi networks. If you must use public wi-fi, configure your device to require a manual connection.

MITM attacks can be difficult to detect while they are occuring. The best way to stay safe is consistantly implementing all the prevention best practices above.

Be aware that some attacks are a form of social engineering. If something doesn’t seem right about a website or email, take a few minutes to dig a little deeper.

Protect your organization from falling victim

Detecting an attack is difficult, but they can be prevented.

Many Man In the Middle attacks can be prevented with good network hygiene, such as firewalls and security protocols. It is important to supplement these efforts by being mindful of your network habits.

Learn how PhoenixNAP proactively manages, detects, and responds to security indicators with our Threat Management Intelligence Services.