What Is an On-Path Attacker? Man-in-the-Middle Attacks Explained

What Is an On-Path Attacker?

Indeed, on-path attacks (Man-in-the-Middle Attacks) aim to manipulate communications between two devices, typically a browser and a web server. Attackers infiltrate and intercept or modify the communications between the two devices.

Through this manipulation, attackers can collect sensitive information or impersonate one of the parties involved in the communication. On-path attacks are capable of targeting communications related to websites, email, DNS lookup operations, and public WiFi networks. Typical targets of on-path attackers include SaaS companies, e-commerce businesses, and users of financial applications.

To protect against these attacks, strong security measures must be applied, such as using encrypted connections via the HTTPS protocol, verifying the security certificates of websites, and avoiding the use of untrusted public WiFi networks. It is also recommended to regularly update software and applications, and to use additional security solutions such as Virtual Private Networks (VPN) when using public networks.

Also:

Let us consider an example of an on-path attack that resembles the work of a dishonest mail carrier who sits at the post office and tampers with letters between two people. This carrier can read private messages and modify their content before delivering them to the original recipients.

In a more modern context, an on-path attacker can sit between a user and the website the user wishes to visit, stealing the user's username and password. This is done by targeting the HTTP connection between the user and the website, where the attacker can penetrate this connection and modify the information being sent between the user and the site. Consequently, the attacker can steal the user's cookies — small pieces of data created and stored by the website on the user's device for identity verification and other purposes.

Stolen cookies are used to hijack the user's session, allowing the attacker to impersonate the user on the website and carry out malicious activities. These attacks can target many websites, including e-commerce companies, banking sites, email services, and social networks.

To avoid these attacks, it is recommended to adopt strong security measures such as using encrypted connections like HTTPS and avoiding unencrypted connections like HTTP. Users should also

exercise caution when using public WiFi networks and verify the security certificates of the websites they visit. Using anti-intrusion software and regularly updating programs and applications are also important measures for protection against these attacks.

Also:

Indeed, on-path attackers can target DNS servers and execute attacks on the DNS lookup process. The DNS lookup process converts domain names into IP addresses, allowing browsers to find websites.

In DNS Spoofing and DNS Hijacking attacks, the attacker infiltrates the DNS lookup process and redirects users to incorrect websites instead of the original sites they wish to visit. Typically, users are redirected to sites that distribute malware or aim to steal sensitive information.

To prevent these attacks, it is recommended to take strong security measures to maintain the integrity of DNS servers. This includes using trusted software applications to manage and regularly update DNS servers. It is also preferable to use digital signatures and certificate verification to ensure that users are connecting to the correct DNS servers. In the event of suspected DNS attacks, they should be reported and measures taken to address them immediately.

What Is Email Hijacking?

Indeed, email hijacking is a common attack used by on-path attackers to gain access to email servers and monitor email communications. This is done by placing themselves between the email server and the web, allowing them to manipulate communications and target sensitive information.

Once the server is breached, attackers can exploit this access for various purposes, including conducting fraud. One well-known fraud scheme exploits a scenario requiring a money transfer, where the attacker uses a spoofed email address to request that funds be transferred to the attacker's account. The attacker forges the email to make it appear legitimate and harmless to the recipient, thereby increasing the likelihood that the transfer request will be executed.

Email hijacking attacks can be highly effective and cause significant financial damage, targeting both companies and individuals alike. Historically, several successful email hijacking attacks have been documented that led to the theft of large sums of money.

To protect against email hijacking attacks, individuals and organizations should take strong security measures, such as strengthening email account security with strong passwords and two-factor authentication features. Users should also be

vigilant and carefully verify the source of emails and financial requests before taking any action. In case of suspicion, they should contact the relevant party directly to verify the authenticity of the request before executing it.

Why Is Using Public WiFi Networks Considered Risky?

On-path attacks are often carried out over WiFi networks. Attackers can create malicious WiFi networks that appear either harmless or cloned from legitimate WiFi networks. Once a user connects to a compromised WiFi network, the on-path attacker can monitor that user's internet activity. Skilled attackers may redirect the user's browser to fake versions of legitimate websites.

What Are the Methods of Protection Against On-Path Attackers?

Since on-path attackers use a number of methods, there is no single comprehensive solution for these attacks. One of the primary ways to protect against attacks targeting HTTP traffic is to adopt SSL / TLS, which establishes secure connections between users and web services. Unfortunately, this is not a foolproof solution, as more sophisticated on-path attackers can work around SSL/TLS protection. For additional protection against these types of attacks, some web services implement HTTP Strict Transport Security (HSTS), which enforces secure SSL/TLS connections with any browser or application, blocks any insecure HTTP connections, and also prevents cookie theft.

Authentication certificates can also be used to protect against these attacks. An organization can implement certificate-based authentication on all its devices, so that only users with properly configured certificates can access their system.

To prevent email hijacking, Secure/Multipurpose Internet Mail Extensions (S/MIME) can be used. This protocol encrypts email messages and allows users to digitally sign emails using a unique digital certificate, enabling the recipient to know that the message is legitimate.

Individual users can also protect themselves from on-path attackers by avoiding sending any sensitive information over any public WiFi network unless it is protected by a secure Virtual Private Network (VPN).