What is a man-in-the-middle (MITM) attack?

After stealthily placing themselves in the middle of two-party communications, MITM attackers intercept sensitive data such as credit card numbers, account information and login credentials. Hackers then use that information to commit other cybercrimes such as making unauthorized purchases, hijacking financial accounts and identity theft.

In addition to exchanges between a user and an application, an MITM attacker might also eavesdrop on private communications between two people. In this scenario, the attacker diverts and relays messages between the two people, sometimes altering or replacing messages to control the conversation.

Some organizations and cybersecurity experts are moving away from the term “man-in-the-middle” because some might consider the language potentially biased. The term might also fail to capture instances where the entity in the middle is a bot, device or malware rather than a person.

Alternative terms for this type of cyberattack include machine-in-the-middle, on-path attack, adversary-in-the-middle (AITM) and manipulator-in-the-middle.

Vulnerabilities across networks, web browsers, email accounts, user behaviors and security protocols are the starting points of MITM attacks. Cybercriminals exploit these weaknesses to insert themselves between users and trusted applications so they can control communications and intercept data in real time.

Phishing attacks are one common means of entry for MITM attackers. By clicking on a malicious link in an email, a user can unknowingly launch a man-in-the browser attack. MITM attackers often rely on this tactic to infect a user’s web browser with malware that enables them to make covert changes to web pages, manipulate transactions and spy on the user’s activity.

Another common source of MITM attacks is public wifi hotspots. Public wifi routers have fewer security protocols than home or workplace wifi routers. This makes it easier for nearby users to connect with the network. But it also makes it easier for hackers to compromise the router so they can eavesdrop on internet traffic and collect user data.

MITM attackers sometimes create their own malicious public wifi networks to lure unsuspecting users and harvest their personal data.

MITM attackers might also create fake websites that appear legitimate but are actually collecting critical data such as login credentials. Hackers can then use those credentials to log in to user accounts on authentic websites. Or they might use the fake website to deceive users into making payments or transferring funds.

Man-in-the-middle attacks require cybercriminals to: 1) intercept the data that is passing between their two targets and 2) decrypt that information.

In order to get in the middle of two communicating targets, such as a user and a web application, an attacker must intercept the data traveling between the two. The attacker then relays that diverted information between the targets as if normal communications are underway so that victims don’t suspect a thing.

Most internet communications today are encrypted, so any data a MITM attacker intercepts will most likely need to be decrypted before the attacker can use it. Attackers can decrypt data by stealing encryption keys, running brute-force attacks or using specialized MITM attack techniques (see next section).

Attackers use a variety of techniques to intercept and decrypt data during MITM attacks. Common techniques include:

IP spoofing: Internet Protocol (IP) addresses identify online entities such as websites, devices and email addresses. MITM attackers alter or ‘spoof’ their IP addresses so it appears a user is communicating with a genuine host when they are actually connected to a malicious source.

ARP spoofing or ARP cache poisoning: The Address Resolution Protocol (ARP) connects an IP address with the correct Media Access Control (MAC) address on a local area network. By spoofing the ARP address, an attacker can route this connection to their own MAC address to extract information.

DNS spoofing: The Domain Name System (DNS) connects the domain names of websites to their assigned IP addresses. By changing a domain name in the DNS records, an MITM attacker can route users away from a legitimate site to a fraudulent website.

HTTPS spoofing: Hypertext Transfer Protocol Secure (HTTPS) ensures secure communications by encrypting the data that travels back and forth between a user and a website. MITM attackers will secretly route users to a standard HTTP page without encryption so they can access unprotected data.

SSL hijacking: Secure Sockets Layers (SSL) is the technology that provides authentication and encryption between a web browser and a web server using SSL certificates. MITM attackers use a fake SSL certificate to hijack this process and intercept data before it can be encrypted.

SSL stripping: This technique takes place when a website accepts incoming HTTP connections before directing that traffic to secure HTTPS connections. MITM attackers disrupt this transition process so they can access unencrypted data before it moves to a secure HTTPS connection.

In these types of attacks, cybercriminals take control of the email accounts of a business or organization. MITM attackers often target financial institutions such as banks or credit card companies for this type of attack.

The hackers monitor communications, collect personal data and gather intelligence on transactions. In some cases, they spoof a company email address to convince customers or partners to make deposits or transfer funds into a fraudulent account.

When a user’s web browser communicates with a website, it temporarily stores
information on a session cookie. MITM attackers gain access to these cookies and use them to impersonate a user or steal the information that they contain, which can include passwords, credit card numbers and other account information.

Because the cookie expires when the session does, hackers must act quickly before the information goes away.

MITM attackers sometimes create public wifi networks and hot spots in popular public places such as airports, restaurants and city centers. The names of these fraudulent networks are often similar to nearby businesses or other trusted public wifi connections. Hackers can also compromise legitimate public wifi hot spots used by the public.

In either case, when unsuspecting users log on, the attackers collect sensitive data such as credit card numbers, usernames and passwords.

In 2017, credit reporting agency Equifax was the victim of a man-in-middle attack due to an unpatched vulnerability in its web application framework. The attack exposed the financial information of nearly 150 million people.

At the same time, Equifax discovered security gaps in its mobile apps that could leave customers vulnerable to further MITM attacks. Equifax removed the apps from the Apple App Store and Google Play.

Using fake websites to collect passwords, hackers launched a successful MITM attack against Dutch digital security authority DigiNotar in 2011.

The breach was significant because it caused DigiNotar to issue more than 500 compromised security certificates to major websites including Google, Yahoo! and Microsoft. DigiNotar was eventually removed as a security certificate provider and declared bankruptcy.

In 2024, security researchers reported that a vulnerability enables hackers to launch an MITM attack to unlock and steal Tesla vehicles.1

Using a spoofed wifi hotspot at a Tesla charging station, an attacker could harvest the account credentials of a Tesla owner. The attacker could then add a new “phone key” that unlocks and starts the vehicle without the knowledge of the vehicle owner, according to the researchers.

There are cybersecurity measures organizations and individuals can implement to protect against man-in-the-middle attacks. Experts recommend focusing on these strategies:

HTTPS: Users should only visit websites with a secure connection, indicated by “HTTPS” and a padlock icon in the browser address bar. Web pages that offer only unsecured HTTP connections should be avoided. In addition, SSL and Transport Layer Security (TLS) protocols for applications can protect against malicious web traffic and prevent spoofing attacks.

Endpoint security: Endpoints such as laptops, smartphones, workstations and servers are primary targets for MITM attackers. Endpoint security, including the latest patches and antivirus software, is critical for preventing attackers from installing malware on these devices.

Virtual private networks: A VPN provides a strong defense against MITM attacks by encrypting network traffic. Even if a breach occurs, hackers will be unable to read sensitive data such as login credentials, credit card numbers and account information.

Multifactor authentication (MFA): MFA requires an additional step beyond entering a password to access accounts, devices or network services. Even if an MITM attacker is able to obtain login credentials, multifactor authentication can help stop the attacker from taking over an account.

Encryption: Encryption is a fundamental requirement for network security and defending against MITM attacks. Strong end-to-end encryption on all network traffic and resources—including email content, DNS records, messaging applications and access points—can thwart many MITM attacks.

Public wifi networks: Users should avoid public wifi networks when performing transactions that involve sensitive data, such was when making purchases.