F5 GLOSSARY

Man-in-the-middle (MITM) Attack

What is an MITM Attack?

An MITM attack, short for "Man-In-The-Middle" attack, also known as "bucket relay attack" or "middleman attack" in Japanese, involves an attacker intercepting communications between two parties, stealing or manipulating the exchanged information, and passing it along to the intended recipient.

One common method of conducting an MITM attack is creating a fake website that mimics a legitimate one, then embedding its link in emails or social media messages to lure users. When users access the fake site, their requests are relayed to the legitimate server, and the server's responses are routed back to the users via the fake site. Another method involves setting up a device disguised as a public Wi-Fi access point to intercept communications.

Although MITM attacks are a classic technique, fully defending against them is very challenging. Attackers essentially act as proxies—when users access a website, attackers behave like the legitimate web server to the browser and as the browser to the server. Once a successful interception occurs, attackers can continue their eavesdropping and manipulation without users realizing they are under attack. Even encrypted communications are vulnerable, as attackers can replace the legitimate encryption certificate with their own, thereby decrypting the communication.

To mitigate MITM attack risks, routers and servers must implement safeguards, but users can also take precautions, including:

  • Bookmarking important websites and accessing them via bookmarks instead of clicking on links in emails or social media.
  • Using phishing protection tools.
  • Verifying site authenticity through server certificates and adhering to stricter verification methods.
  • Avoiding open access points whenever possible.

A recently evolved form of MITM attacks is MITB (Man-In-The-Browser) attacks, where malicious code is embedded into the user's browser, enabling actions like fraudulent money transfers.