Extract

Man in the middle attacks (MITM) continue to ensnare individuals and companies. These attacks have grown more sophisticated, with new approaches to this attack method. While defence methods like MFA have become more prevalent, the new attack methods continue to adapt to these defences.

Concept

MITM attacks involve a person, device or system being inserted between two counterparties who are expecting to have a confidential exchange of information either by voice, keypad or computer. The captured date and information are valuable. The attacker uses that information to compromise the person or company through the use of the information or instructions they intercept.

Historical MITM

Getting cash out of an automated teller machine (ATM) or cash machine should be a simple process. Make sure the scene looks safe. Insert your card, plug in your PIN, touch the amount of money you want, take the bills and card and put them in your pocket and walk away. A common method that was used in MITM attacks was inserting a panel on the front of the machine that would capture the card information and your PIN. The captured information would allow the criminals to recreate your card and then use your PIN at ATM machines and withdraw as much money as available.

Current defences: In addition to being on the alert of your surroundings and obvious changes to the ATM machines, some banks offer one-time transaction codes that do not require your card or your PIN.

Adaptive MITM

Attackers capture unsuspecting users by optimizing search engine rules as they set up fake websites. Users doing a quick search click the link and go to what they believe is the bank website. The connection is to a spoofed website that looks exactly the same as the real bank website except that, in most cases, the secure padlock indicating a secure digital certificate is missing.

The user plugs in user id, passwords and other credentials, which are captured by the criminals. Sometimes this information is rerouted to the real bank website to allow the user to originate a transfer. The attacker may enter a different transfer on the bank site than the user enters on the fake site. When the MFA process asks for a code, the attacker provides the same prompt to the user, who shares this credential unsuspectingly. Through this or another method, funds are moved to an account that the company doesn’t intend, resulting in a loss.

Current defences: Discipline of using only known sites from a list instead of searching; ignoring calls from bank help desks who ‘proactively notice’ you are having problems logging on.

 

Source & Copyright©2021 - CTMfile

Compromised devices coupled with additional information

ARP Poisoning. Simply described, the attacker is able to insert a device on the network you are using (corporate or coffee shop) that keeps track of the network devices and replaces the network router address with the attacker’s physical device. This allows them to control how computer messages and connections are routed. For example, if they change the address mapping for the web router over to a device they control and monitor, then the user’s computer now trusts the device controlled by the criminal even if they reroute all traffic out through the router.

This allows the criminal to monitor all traffic, data and credentials that are shared by the user. This information is then exploited to learn more about their target and remove funds from the user company account at a time most conducive to delayed discovery.

Current defences: User security training/position of alert; use of encrypted web sites; avoidance of free, public Wi-Fi; system component change monitoring; using various security services offered by your banks; banks using website extinguishing services to rapidly remove any attacker’s website.

Adaptive defences

Defending against adaptive threats begins with a security mindset and continues through training and process controls. Here are some common elements:

• Payment security specific training
• Developing the mindset of cyber security
• Maintaining scepticism that is hyper-alert to any anomalies
• Connecting via your own data services and not public Wi-Fi
• Use of appropriate services (connecting only to digitally secure sites; multi-factor authentication; VPN)
• Having a documented response plan in case company credentials are compromised through MITM

---

CTMfile take: October is Cyber-Security Awareness Month. Use this time to further strengthen your defences: human, network, processes.