What is a phishing attack with opponent in the middle?


Phishing attacks are now incredibly common. This method of cyber crime can be very effective in stealing data and does not require a huge amount of work at the basic level. But phishing also comes in many forms, one of which is Adversary-in-the-Middle attacks. So what are Adversary-in-the-Middle phishing attacks? And how to avoid them?

What are opponent’s attacks in the middle?

An Adversary-in-the-Middle (AiTM) phishing attack involves stealing session cookies to steal private data and even bypass authentication layers.

You have probably heard of cookies before. Today, most sites you click on will ask your permission to use cookies to better personalize your online experience. In short, cookies track your online activity to understand your habits. These are small data text files that can be sent to your server each time you click on a new webpage, thus giving certain parties the ability to monitor your activity.

There are many types of cookies. Some are necessary, some are not. AiTM attacks concern session cookies. These are cookies that temporarily store user data during a web session. These cookies are immediately lost as soon as you close your browser.

As is always the case with phishing, an AiTM phishing attack begins with the attacker communicating with the target, usually via email. These scams also use malicious websites to steal data.

AiTM attacks have been a particularly pressing issue for Microsoft 365 users, with attackers contacting targets and asking them to log into their 365 accounts. The malicious actor will impersonate an official Microsoft address in this scam , which is also typical of phishing attacks.

The goal here is not just to steal login credentials, but to bypass the victim’s Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) layer. These are security features used to verify an account login by requesting authorization from a separate device or account, such as your smartphone or email address.

The cybercriminal will also use a proxy server to communicate with Microsoft and host the fake 365 login page. This proxy allows the attacker to steal the victim’s session cookie and login information. When the victim enters their login details on the malicious site, then they will steal the session cookie to provide fake authentication. This gives the attacker the ability to bypass the victim’s 2FA or MFA request, giving them direct access to their account.

How to protect against AiTM phishing attacks

Although an AiTM phishing attack differs from a typical phishing attack, you can still use the same practices to avoid the former as the latter. It starts with all the links provided in your emails.

If you receive an email from a supposedly trusted sender stating that you need to use the provided link to log in to one of your online accounts, be careful. This is a classic phishing trick that can be easily missed, especially if the attacker uses persuasive or urgent language to convince you to log into an account as soon as possible.

So, if you receive an email containing any type of link, make sure to pass it through a link checking website before clicking. Also, if the email says you need to sign in to an account, just find the sign-in page on your browser and go to your account. This way, you can see if there are any issues you need to fix on your account without clicking on any type of link provided.

You should also avoid opening attachments sent to you from an unknown address, even if the sender claims to be someone you trust. Malicious attachments can also be used in AiTM phishing attacks, so be careful what you open.

In short, if there’s no real need to open the attachment, leave it alone.

If, on the other hand, you think you need to open the attachment, do a few quick checks before doing so. You should examine the file type of the attachment to determine if it should be considered suspicious. For example, .pdf, .doc, zip, and .xls files are known to be used in malicious attachments, so be careful if a given attachment is one of these file types.

In addition to that, check the context of the email. If the sender claims that the attachment contains a document, such as a bank statement, but the file has an .mp3 extension, you are probably dealing with a misleading and potentially dangerous attachment, since an MP3 file would not be used for a document.

Look at the sender address of any suspicious emails you receive. Of course, every email address is unique, so an attacker cannot use an official company email address to communicate with you unless it has been hacked. In the case of phishing, scammers often use email addresses that somewhat resemble an organization’s official address.

For example, if you receive an email from someone claiming to be Microsoft, but notice that the address says “micr0s0ft” instead of “Microsoft”, you are dealing with a phishing scam. Criminals will also add an extra letter or number to an email address so that it looks very similar, but not identical, to the legitimate address.

You can even tell if a link is suspicious by looking at it. Malicious sites often contain links that seem unusual. For example, if an email says the link provided will take you to a Microsoft sign-in page, but the URL says it’s a completely different website, avoid it. Verifying the website’s domain can be particularly helpful in preventing phishing.

Finally, if you receive an email from a supposedly official source that is littered with spelling and grammatical errors, you are probably dealing with a scammer. Official companies often ensure that their emails are written correctly, while cybercriminals can sometimes be sloppy in their communications. So if an email you received is written very lazily, be careful how you do it.

Be on your guard to avoid AiTM phishing attacks

Phishing is extremely widespread and is used to target both individuals and organizations, which means no one is truly safe from this threat. So, to avoid AiTM phishing attacks and phishing in general, consider the tips provided above to protect your data.


Comments are closed.