All You Need to Know About Man-In-the-Middle Attacks

Cybersecurity Content Writer

The online world is full of security threats. One such threat is known as a man-in-the-middle attack — a type of attack where a bad actor secretly intercepts online communications between two people.

What is a man-in-the-middle attack?

A man-in-the-middle (MITM) attack is a type of cyberattack during which bad actors eavesdrop on a conversation between a user and an application. MITM attacks can take a variety of shapes and forms. However, in essence, a MITM attack can be defined as a malicious interception of communications. Usually, the goal of the MITM is to steal sensitive data such as usernames, passwords, credit card numbers, email addresses, and other pieces of information that attackers can use to profit.

How does a man-in-the-middle attack work?

A MITM attack comprises two phases known as interception and decryption.


During the first stage of the MITM attack, a bad actor first has to intercept communications. In most cases, hackers can intercept communication by gaining control of a public Wi-Fi network or creating faux Wi-Fi hotspots. As soon as the victim connects to a malicious Wi-Fi network, the attacker gains a complete view of all the data exchange.


Because all two-way online traffic is SSL encrypted, bad actors need to decrypt it; otherwise, the intercepted data remains unreadable, making it worthless. During the decryption phase, hackers use various techniques to decrypt data, but more on those later.

Notable man-in-the-middle attacks

  • In 2013, Nokia's Xpress Browser was discovered to be decrypting HTTPS traffic, which gave clear text access to its customers' encrypted traffic.

  • In 2011, the Dutch certificate authority DigiNotar became a victim of fraudulent certificates used to break down the security walls of a site, with customers being none the wiser.

  • More recently, on September 21, 2017, Equifax found that users were being redirected to a fake phishing site, another result of a MITM attack. In this instance, the attacker changed the domain name to from

Types of man-in-the-middle attacks

Bad actors can launch a MITM attack in a variety of ways. However, all types of MITM attacks include interception and decryption phases. Here are a few examples of different MITM attack types.

  • IP spoofing occurs when cybercriminals alter the source IP address of a website or device to mask it. Consequently, this makes unsuspecting users believe that they are communicating with a legitimate website or device while in reality, all of the data that they share during the interaction is gathered by cyber crooks.

  • DNS spoofing is, in essence, quite similar to IP spoofing. However, instead of altering the IP address, attackers modify domain names to redirect traffic to fake websites. Users who enter a website affected by DNS spoofing might think that they landed on a legitimate site; unfortunately, they end up on a faux website often designed to steal login credentials.

  • HTTPS spoofing occurs when cybercrooks set up a website that sends a faux certificate to the potential victim's browser to establish a fake secure connection. As a result, bad actors can collect any data that the affected user enter's on a spoofed website.

  • SSL hijacking is a technique during which bad actors slip faux authentication keys to the user and the application at the same time the TCP handshake takes place. At first sight, this might seem like a secure connection. Unfortunately, the reality is that the attacker is in full control of the entire session and all the data flow.

  • Email hijacking occurs when the attackers gain control of a legitimate entity's email account and use it to conduct financial fraud or even identity theft.

  • Wi-Fi eavesdropping is probably the most common type of MITM attack. During Wi-Fi eavesdropping attackers gain control of public Wi-Fi hotspots or create fake public Wi-Fi networks to which potential victims connect.

  • Session hijacking is essentially what you would call cookie theft. During session hijacking, bad actors gain access to your cookies and then use them to steal sensitive data. As you may know, cookies store some of the most important information, such as your login and personal details.

How to detect a man-in-the-middle attack

Detecting a man-in-the-middle attack can be challenging. If you're not actively looking into your communications, a MITM attack can run unrecognized until it's too late. If you wish to stay a step ahead of bad actors, taking proper action with regard to communication security is critical. Being aware of your browsing habits and understanding possibly dangerous areas can be essential to supporting a secure network.

One of the obvious giveaways you're experiencing a man-in-the-middle attack is unexpected and often repeated disruption of a particular service or website. Attackers disconnect user sessions to intercept the connection and collect data, which is the likely reason behind the disturbances.

Another indication of a MITM attack is suspicious or otherwise unrecognizable URLs. For instance, you might notice that instead of your browser is actually trying to load

If you suspect you've fallen victim to a MITM attack, be sure to terminate your connection to the internet. Because bad actors could have gotten their hands on your sensitive data, such as usernames and logins, we highly recommend changing the passwords of your online accounts to prevent further harm. You can do so quickly and easily with the help of a password generator — a tool designed to create strong and unique passwords on the go.

How to protect against man-in-the-middle attacks

  • Avoid the use of public Wi-Fi

    Public Wi-Fi hotspots are inherently more dangerous than your home Wi-Fi network because they often lack the necessary security measures to ensure safe connectivity. By refraining from using public Wi-Fi networks, you will significantly lower the risk of falling victim to a MITM attack.

  • Use VPN to for secure connection

    Using a VPN can prevent man-in-the-middle attacks. A VPN creates an extra layer of security that encrypts your data, making it iron proof against attacks.

  • Pay attention to browser notifications that report that a website is insecure

    Today's web browsers are quite savvy security-wise. Most modern browsers issue warnings if you're about to enter a website with questionable security standards. Make sure to visit websites that have “HTTPS” in their URL bar instead of just “HTTP.” “HTTPS” indicates that the website is secure.

  • Avoid phishing emails

    Phishing scams are rampant these days. Cybercrooks use phishing attacks to trick users into downloading malicious files and exposing their sensitive data. Usually, phishing messages impersonate a legitimate source to fool users into interacting with the messages. Stay vigilant if you ever notice a suspicious email. You can learn more about phishing in general and how to detect such scams in our previous blog entry.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.