You’ve already taken steps to protect your network and data from hackers by implementing security measures such as multi-factor authentication. But what if those security measures aren’t enough to keep threat actors at bay?
That’s exactly what’s happening with an emerging cybersecurity trend affecting businesses across different industries.
Cybercriminals have come up with new ways to infiltrate your systems to cause harm with this latest scheme, known as Adversary-in-the-Middle (AiTM) phishing.
In this article, we’ll examine the methods hackers use to deploy AiTM phishing attacks and what you can do to protect your IT environment.
With this information, you’ll ensure that you can effectively defend against these increasingly sophisticated cyber threats to help keep your business running securely and efficiently.
AiTM phishing, also known by the more well-known Man-in-the-Middle (MitM) moniker, is a sophisticated form of virtual eavesdropping.
With this type of cyberattack, a threat actor secretly intercepts private communication between two parties that was thought to be secure. The parties can be two people, two devices, or a user and an application, server, system, or other network.
In these sneaky cyberattacks, the bad actor sets up a fake connection between a user and the legitimate website they’re trying to access.
Once the individual enters their login username and password, the lurking attacker is able to pounce to gain unauthorized access by stealing those credentials and session cookies.
In this way, the attacker can steal or alter login passwords, personally identifiable information (PII), or even private email messages.
Related Article: Personally Identifiable Information: 10 Steps To Ensure Data Privacy
The unnerving part of it all is that these schemes can be carried out even if the devices, accounts, or systems are protected by multi-factor authentication (MFA) tools.
With this method, the clandestine attack is done right under the noses of the targets, without them even suspecting that an attack has happened.
Microsoft reported a 146 percent jump in AiTM attacks over the last year. This means that MFA alone isn’t a deterrent to cyber predators.
There are three main ways that AiTM phishing cyberattacks are carried out.
AiTM attacks usually start out with a phishing email or text that contains a malicious link.
The user enters their login information into the AiTM phishing site, which then forwards the request to the real website using a proxy server. This prompts the legitimate website to ask for MFA credentials.
Once the individual enters this extra layer of identity verification and it gets authenticated by the legitimate website, the website generates a session cookie.
This allows the hacker to steal the session cookie and redirect all of the user’s traffic to a malicious page that looks like the real website—all without the user’s knowledge. The only visible difference between the real page and the fake one is the URL.
To cover their tracks, scammers can remove all traces of evidence by setting up a rule to divert the user's email messages. This ensures that the employee never sees the inbox replies to the initial phishing email the hacker sent out from the user's email account.
Secure Sockets Layer (SSL) uses encryption for secure internet communications. In this case, the attacker stealthily forces users to go to an unencrypted HTTP connection instead of the secure HTTPS connection they thought they were using.
Instead of following an encrypted link, the user’s browser gets tricked into redirecting the web traffic to the unsecured connection.
Also known as DNS poisoning, DNS spoofing compromises the user’s domain name system (DNS).
DNS translates user-friendly domain names like Microsoft.com into numerical IP addresses, allowing users to easily access websites and other online resources.
With this attack method, hackers impersonate a website’s actual IP address by subbing in a fake one in the DNS cache. This causes a user to unknowingly get redirected to the spoofed page.
In multiple attacks, cybercriminals have been able to bypass traditional MFA controls to gain unauthorized access.
For instance, these AiTM scams typically started off as a business email compromise (BEC), smishing (SMS phishing), or other type of phishing attack.
Related Article: What Is Business Email Compromise? How To Spot And Avoid Its Traps
Hackers were able to gain network access once the user clicked the malicious link within the email or downloaded an infected file attachment, effectively bypassing two-factor authentication (2FA) or MFA.
This allowed the virtual adversaries free reign to snoop through emails and files searching for company financial information.
With the stolen credentials and email access, they also impersonated employees from external partners to communicate with the original target, then cleverly covered their tracks by redirecting email responses to the trash bin and deleting them.
In this way, they were able to keep the fraud going without raising suspicion.
Since September 2021, more than 10,000 organizations have been targeted using various AiTM phishing sites to steal user passwords and hijack their sign-in sessions, according to Microsoft Threat Intelligence.
Related Article: Personally Identifiable Information: 10 Steps To Ensure Data Privacy
By obtaining a user’s session cookie, these sneak attacks have proven an effective workaround to devices, applications, or systems protected by certain MFA methods such as a one-time SMS code or link sent via text or email.
Arguably the most effective tool to prevent AiTM phishing attacks is to requiring regular employee security awareness training.
Since upwards of 90 percent of phishing attacks stem from human error, providing ongoing staff cybersecurity education is critical to protect your business and minimize risk.
Such training is critical to establishing a companywide culture of cybersecurity. This helps promote employee buy-in of the policies and procedures you’ve implemented to mitigate cyberattacks.
Another powerful defense against AiTM phishing attacks are passkeys.
That’s because these passwordless security tools use what’s known as a cryptographic pair to encrypt and decrypt your communication.
Related Article: 6 Steps To Implement MFA With Security Keys To Secure Your Business
With passkeys, a user can only gain entry if both parts of the cryptographic pair match up during authentication, usually by requiring the user to enter a pin or biometric information to gain access.
This makes it much more difficult for bad actors to steal your passwords or attempt to replicate the authentication process to gain unfettered access to your network.
These digital credentials can use software stored on your device’s operating system or the cloud.
Or, they can come in the form of a small, physical security key, which often resembles a USB token or fob.
Since security keys require the user to have the portable device in hand to complete the authentication process, it makes it virtually impossible for the employee’s login credentials to be stolen with this cybersecurity tool.
Having read this article, you now have a more thorough understanding of this growing cybersecurity threat.
The rising trend in AiTM phishing sites that target multi-factor authentication is one to take seriously.
Hackers now have more resources than ever at their disposal. They’re using advanced technology, including artificial intelligence (AI). In addition, they're often part of organized cybercrime networks, such as ransomware gangs, to help them carry out their attacks.
As the level of sophistication in these cyber incidents increases, it’s critical that you have robust physical and virtual security controls, along with a comprehensive incident response plan, to strengthen your organization's security defenses.
By doing so, you greatly reduce the risk of a cyber incident such as malware, ransomware, or data breach being used by hackers for financial gain.
We write articles like this to help save busy small and medium-sized business owners like you time by providing useful information about important technology-related topics to help you make the best IT decisions for your organization.
How secure is your infrastructure? Click here to get a no-obligation cybersecurity checklist and find out.
If you need help evaluating your current security posture or implementing the right security measures to protect your data and business, reach out now by clicking the button. We'll respond quickly to see how we can work together to ensure your business runs securely and smoothly into the future.