Bitcatcha's content is reader-supported. When you purchase through links on our site, we may earn an affiliate commission. Learn more

What Is A Man In The Middle (MITM) Attack?

Daren Low
April 23, 2024


Did you know there’s a type of cyberattack that allows hackers to read and alter your chats with others without you even being aware of it?


This type of cyberattack is called a “Man In The Middle Attack” (or MITM attack), and is estimated to account for over 35% of all cyberattacks that exploit cyber vulnerabilities, according to IBM’s X-Force Threat Intelligence Index.


In the rest of this article, we’ll look at MITM attacks in detail. We’ll talk about:



Let’s begin!


What Is a Man in the Middle (MITM) Attack?


Man In The Middle Attack featured image


A MITM (man-in-the-middle attack) is precisely what it sounds like.


It is a kind of cyberattack where hackers intercept communication or data transfer between two parties who believe they are communicating with each other privately and directly–enabling hackers to eavesdrop on their victims’ conversations and data exchange.


Additionally, they let hackers control their victims’ conversations, meaning the attacker can access their credit card numbers, bank information, chats, and other login credentials.


MITM hackers can then use this information to blackmail their victims, transfer illegal funds through their accounts, or even conduct identity theft.


The worst part is that MITM attacks happen in real-time, and due to their discrete nature, victims usually don’t realize they’ve been hacked until it’s too late – that is, if they ever find out about it.


This is why MITM attacks are no joke. You should know what they are, how they can harm you, how they work, and how to prevent them from happening.


The following section will look closely at how MITM attacks work. This way, you will better understand what is at stake.



How Do MITM Attacks Work?


Perhaps the best way to understand how MITM attacks work is through the analogy of postal mail.


Suppose you send a letter to a friend of yours by postal mail. Normally, this would work because the postal service would take your letter and ship it to the specified destination without invading into what’s in it.


But suppose the mailman delivering the letter to your friend opens it and reads what you’ve said to your friend.


person carrying a mail parcel

MITM attacks are analogous to mailmen peeping into your parcels before you receive them.


After this, suppose the mailman neatly seals your letter again and delivers it to your friend. How would you ever find out about this? You probably won’t- and that’s exactly what makes MITM attacks so hard to catch.


Of course, this isn’t a perfect analogy. But it does help give us a sense of what these types of attacks entail.



Phases of MITM Attacks


phases of MITM attacks


Now, let’s dissect MITM attacks and examine their two distinct phases: interception and decryption.


In the interception phase, the hacker comes in the “middle” of a secure, private connection and gains access to the victim’s data.


Once hackers access victims’ data, they move to the second phase of MITM attacks, decryption, where hackers decode the information they intercepted about their victims.


1. Interception


Interception is the first phase of a MITM attack, and it is precisely how it sounds. The hacker comes in between or “intercepts” what was supposed to be a private communication channel between two parties.


At this stage, the hacker uses a fake network to stop messages from directly reaching the intended recipient. The most common way these fake networks are created is through free Wi-Fi hotspots that the hacker intentionally enables in proximity to the victim.


Since the messages and data of victims reach the hacker before it does to the intended recipient, it is fitting that this type of hacking is called a “man in the middle” attack.


So, what happens once the attacker intercepts communication between the victim parties? Well, they can take the attack forward in three distinct directions which include the following:


  1. IP Spoofing
    Your device’s IP address is how it is identified over the internet.
    IP spoofing (not to be confused with email spoofing) is when hackers get a hold of your IP address, modify it slightly, then send queries on the internet impersonating your device.
    This allows hackers to use your device as a “zombie device” for DDoS attacks or to pass authentication processes to access sensitive information.
    Additionally, IP spoofing can also involve hackers altering the source IP address of a website you’re trying to reach. This means that the website you will be directed to will be a fake or “dummy” website of the hacker.
    If you unknowingly end up filling in your information on that site (i.e., your credit card details), these credentials will be handed over to the hacker instead — leaving you open to a lot of harm.
  2. ARP Spoofing
    ADR or Address Resolution Protocol Spoofing is a type of MITM attack where hackers send false ARP messages over LAN (or local area networks). When this happens, The hacker’s MAC (or media access control) address gets connected to the victim’s IP address.
    After this, the hacker can intercept any data to their victim’s device — meaning that all of your private information, including your login credentials and credit card info, will be sent to the hacker.
  3. DNS Spoofing (Domain Name System)
    In this sort of MITM attack, hackers tweak domain names to redirect victims to fake or “dummy” websites.
    These websites look pretty authentic, so most victims don’t even realize that they’ve been redirected to a site run by cybercriminals. So, they end up trusting the website and entering their sensitive information on it.


Of course, this information ends up falling straight into the lap of cybercriminals who intend to misuse your information.


2. Decryption


When hackers gain access to their victims’ data in the interception phase, the data is encrypted — meaning hackers can’t benefit from it until they first decrypt it.


This is where the decryption phase of MITM attacks comes in. As the name implies, this is where hackers decrypt the encrypted data they’ve collected about their victims so that they can use it to their benefit.


There are three major ways hackers decrypt victims’ data. These are:


  • HTTPS Spoofing
    HTTPS Spoofing is a form of decryption attack where hackers dress an unsafe website to make it look safe (i.e., protected through encryption).
    When victims open a secure website, HTTPS spoofing redirects your secure browser session to an unsecured (HTTP) website. Since HTTP websites are not secured, hackers can more easily access any data victims share on the unsecured site.
  • SSL Hijacking
    When you visit a web application, a cookie is temporarily set up in your browser that helps the webserver remember your login status.
    In SSL Hijacking attacks, hackers basically try to gain access to your sessions by using your session ID.
    Where do they get this information from? Well, there are several ways hackers can find this out, but the most common is by making you click a malicious link containing a pre-set session ID.
  • SSL Stripping
    This decryption attack switches the victim’s connection from the secured HTTPS site to an unsecured HTTP version.
    Since HTTP versions of websites aren’t encrypted, hackers easily intercept and decrypt any information victims share to the unsecured website.



Signs of a MITM Attack


MITM attacks are hard to detect, but this doesn’t mean you can’t do anything to identify these attacks and consequently take protective or preventative measures against them.


Here are some signs you should look out for to detect MITM attacks:


  1. There is a lot of unexplained latency (or delay) while opening sites and sending or receiving messages — especially if you’re connected to a free Wi-Fi hotspot with a weird name.

  3. The website URL seems altered or fake. For example, instead of “,” the URL you see on top reads “

  5. You randomly get disconnected from your sessions while using web applications.

  7. Your website URL starts with “HTTP” and not “HTTPS.”


If any or all of these signs show up at once- especially after you are connected to a free Wi-Fi hotspot nearby – it indicates a MITM attack.



How Do You Prevent MITM Attacks?


Now, let’s talk about how you can potentially protect yourself and your data against MITM attacks.


  1. Don’t join free Wi-Fi hotspots
    As mentioned earlier, MITM attackers often set up free Wi-Fi hotspots near their victims’ proximity. When victims start using Wi-Fi to browse the internet, hackers are able to view all of their activity.
  2. Subscribe to a VPN service
    If you find yourself using public Wi-Fi, make sure you enable your VPN service before you browse the internet. VPNs encrypt your browser activity and make it unreadable to hackers. Read more about how to use a VPN with public Wi-Fi.
  3. Use multi-factor authentication for all your sensitive logins
    This is important because even if hackers get a hold of your login credentials, they won’t be able to access your sensitive accounts.
  4. Keep unique passwords for each login
    If you keep the same password for each login, hackers will be able to access all of your accounts by simply getting a hold of one of your passwords. You might want to consider getting a password manager.
  5. Get anti-malware software
    Anti-malware software will help you detect malicious links.



How Do VPNs Protect You Against MITM Attacks?


Arming yourself with one of the best VPNs is one of the best defenses you have against MITM attacks.


This is because they encrypt your data online — meaning hackers aren’t able to read it. As VPNs secure the traffic between your device and the internet, this can help prevent hackers or ISPs from conducting any targeted attacks against you.


That said, if a collective (or indiscriminately attack) were to be conducted, your data would still be vulnerable. Still, VPNs are one of your best bets against MITM attacks, and they’re definitely worth checking out if you’d like to up your online security.


Want to browse safely in your iPhone?

Check out this article on how to set up VPN on your iPhone and why you need it!



MITM Attacks Are Hard To Detect But VPNs Can Help


MITM attacks allow hackers to intercept and decipher their victims’ communication or data transfer with other parties. Such an attack allows them to gain access to victims’ sensitive data and hijack their communication.


While MITM attacks largely go undetected, you can detect a MITM attack by looking out for any irregularities in your browsing experience after joining a free Wi-Fi.


If you do end up falling victim to a MITM attack, keep in mind that the best way to protect yourself against a MITM attack is by using a VPN service, staying away from free public Wi-Fi, and using anti-malware software.