Recently, we warned on our social networks about the increased risk of AiTM attacks via phishing kits. What does the acronym stand for and how do you defend against this type of attack?
Adversary-in-the-Middle (AiTM) is a type of Man-in-the-Middle (MITM) attack. It’s a type of attack where an attacker fraudulently slips between a user and another party (such as an application or website they are about to visit). This gives the attacker the ability to monitor or even influence the victim’s online activities and obtain various exploitable information.
The dangerous part is that the attacker does not interfere in any noticeable way, so you may not spot anything suspicious at first glance. The fraudulent activity takes place under your hands at the level of the processes necessary to connect you and your target on the Internet.
For example, an attacker creates a fake Wi-Fi hotspot and you connect to it thinking it’s your cafe’s Wi-Fi. Or affect communication between points by redirecting it to itself. In the case of an AiTM attack, he’ll send you a link to a fake login page where you unwittingly give him your details, before “letting” you through to your real account. Such phishing kits are even becoming an item of commerce – criminals offer them to interested parties as instant packages.
The paths are different, but you as the user on the outside still see the usual sites or apps and are at ease. Unfortunately, only until the consequences become apparent.
What is the risk of an AiTM/MITM attack?
Identity theft and financial fraud. The attacker obtains enough information to impersonate the victim to gain access to accounts and funds.
Espionage. Monitoring communications between two parties will reveal sensitive information such as trade secrets, strategies and other confidential information.
Malware Spread. The attack can also serve to infect the compromised device with malware, which in turn facilitates data theft, remote control of the device, etc.
How to recognize an AiTM/MITM attack?
It’s not easy. After all, the attacker does everything to remain an unrecognized grey eminence in the background. Still, there are some signs that may indicate that something is going on:
Unpredictable network behavior. You suddenly start experiencing network connectivity issues, data transfer slows down, or you notice other data transfer irregularities.
Error messages. Unusual error messages suddenly appear when you access websites or communicate with the server.
Invalid certificates. Your web browser warns of invalid certificates when accessing secure sites.
Unusual network activity. High packet counts or attempts to connect to unknown servers indicate that an attack may be in progress.
Antivirus warnings. If your antivirus program reports anything suspicious, beware.
These symptoms do not necessarily mean that this is an AiTM attack. However, it is definitely a good idea to investigate further in such a case and make sure that you have not fallen victim to this type of attack.
And how to prevent such an attack?
Often, a criminal will connect to someone else’s communications with a phishing email. Therefore: be very careful what you click on and where you enter your access data. It doesn’t hurt to regularly train your employees to remind them of the policy every now and then.
Robust multi-factor authentication, for example using biometrics or FIDO key fobs, is important.
Of course, a well-secured network, regular software updates to the latest versions, or a suitably chosen VPN are essential. You can also limit connections to the corporate network from outside.
Avoid unsecured websites.
And take extra care when connecting to the internet over public Wi-Fi. If it’s not secured with at least a password, you’d better not use it at all.
Need help with setting up and securing your network? Not sure how to balance bulletproof security and user-friendliness? Or would you like a cybersecurity audit of your company? That’s what we’re here for, give us a call.