When attackers intercept your communications
Introduction
When we browse websites, send emails, access cloud applications, or connect to corporate systems, we generally assume that our communications are private and secure. We trust that the information we send reaches its intended destination without being viewed or altered by anyone else.
However, cybercriminals and other threat actors sometimes attempt to position themselves between communicating parties in order to intercept, monitor, manipulate, or inject data into those communications.
These attacks are known as Man-in-the-Middle (MitM) and Man-on-the-Side (MotS) attacks.
Both attack types exploit weaknesses in communications and trust relationships, but they differ in how the attacker interacts with the traffic. Understanding these attacks is important because they can lead to credential theft, data breaches, malware infections, financial fraud, and espionage.
Understanding digital communications
Before discussing these types of attacks, it helps to understand how normal communications occur.
When you send a message across the Internet, there are a plethora of networks and systems your data travels through
Your device –> Your immediate network –> your ISP network –> The Internet –> the recipients ISP network –> the recipients network –> the recipients device
It seems like your message travels directly between the sender and receiver, but the reality is very different
In a secure environment:
- The message remains confidential.
- The contents are not altered.
- Both parties trust each other’s identity.
MitM and MotS attacks interfere with this process, and can occur at any part of the journey
What is a Man-in-the-Middle (MitM) attack?
A Man-in-the-Middle (MitM) attack occurs when an attacker secretly positions themselves between two communicating parties. The attacker intercepts the communication and may:
- Read the data
- Record the data
- Modify the data
- Inject malicious content
- Redirect communications
Neither party necessarily realises that a third party is involved as the attacker sits directly between both parties and acts as an intermediary relaying information between both sides.. The name comes from the attacker’s position in the communication flow. Although the term Man-in-the-Middle is being phased out in favour of Machine-in-the-Middle, or Meddler-in-the-Middle
How a MitM Attack Works
A successful MitM attack generally involves four stages.
Stage 1: Interception
The attacker gains visibility of network traffic. This may occur through:
- Rogue Wi-Fi networks
- Network compromise
- DNS manipulation
- ARP spoofing
- Malware
Stage 2: Positioning
The attacker inserts themselves into the communication path. Both parties believe they are communicating directly with each other.
Stage 3: Monitoring or Manipulation
The attacker can observe traffic, capture credentials, modify messages, and inject malicious content
Stage 4: Relay
Traffic continues flowing normally. The victim(s) may never realise their communications were intercepted.
What is a Man-on-the-Side (MotS) attack?
A Man-on-the-Side (MotS) (Machine-on-the-side) attack is similar to a MiTM attack but operates differently.
Instead of sitting directly between two parties, the attacker monitors communications and injects malicious responses without fully controlling the communication channel.
The attacker remains alongside the communication rather than directly in the middle.
The key difference between MitM and MotS
The distinction is important.
- Man-in-the-Middle – The attacker intercepts and relays communications. The attacker controls the communication path.
- Man-on-the-Side – The attacker observes traffic and injects responses. The original communication remains intact. The attacker attempts to trick the victim into accepting malicious responses before the legitimate ones arrive.
Why Man-on-the-Side attacks are effective
Computers generally process whichever valid response arrives first, so if an attacker can inject a malicious response faster than the legitimate server, the victim’s system may accept it.
The legitimate response still arrives, but it is ignored because the request has already been satisfied.
This technique has historically been used for:
- Malware delivery
- Traffic redirection
- Surveillance
- Censorship
Common types of Man-in-the-Middle attacks
MitM attacks can occur in several ways.
- Rogue Wi-Fi attacks – One of the most common examples involves fake wireless networks.
An attacker creates a Wi-Fi hotspot with a legitimate-looking name. Users connect believing the network is legitimate allowing the attacker to observe or manipulate traffic passing through the connection. - ARP Spoofing – ARP (Address Resolution Protocol) helps devices identify one another on local networks. An attacker manipulates ARP communications to convince devices that they are the legitimate network gateway (router). As a result, traffic to and from the victim passes through the attacker’s system.
- DNS Spoofing – The Domain Name System (DNS) converts website names into IP addresses. If an attacker manipulates this process and redirects users to fraudulent websites, the the victim would believe they are visiting a legitimate service while actually interacting with an attacker-controlled system.
- HTTPS downgrade attacks – Modern websites use HTTPS encryption. Over time, different encryption algorithms have been introduced to improve security of the data being protected. Attackers may attempt to force users onto unencrypted connections, or to deliberately use a vulnerable encryption technology. The goal is to weaken security protections and make traffic easier to intercept. Fortunately, modern browsers and security controls have reduced the effectiveness of these attacks, but they remain a valuable concept to understand.
- Session hijacking – Many websites maintain user sessions after authentication. This is typically achieved by the use of session cookies, or tokens. If an attacker obtains session information, they may be able to impersonate the victim. Potential consequences include account takeover, data theft, and unauthorised transactions
- SSL/TLS interception – Some advanced attackers attempt to intercept encrypted traffic. This typically requires digital certificate compromise, user acceptance of invalid certificates, and malware installed on endpoints. A successful attack may allow the attacker to view supposedly encrypted communications.
Common Types of Man-on-the-Side Attacks
MotS attacks typically focus on injection rather than interception.
- Malicious software injection – The attacker observes software downloads and attempts to inject malicious files before legitimate downloads complete. The victim receives malware disguised as a trusted application.
- Content injection – Attackers inject unwanted content into web traffic. This can include advertisements, activity tracking scripts, malware, and HTTP redirects to malicious websites
- Fake update delivery – The attacker injects fake software updates. Users believe they are installing legitimate updates but actually install malware.
- Traffic redirection – Users are redirected to malicious websites before legitimate responses arrive. This may facilitate credential theft, malware installation, and surveillance
Information attackers seek
Both MitM and MotS attacks may target valuable information.
Examples include:
- Usernames
- Passwords
- Banking details
- Credit card information
- Session tokens
- Emails
- Corporate data
- Intellectual property
The stolen information may be used directly or sold to other cybercriminals.
Why these attacks are dangerous to companies
The consequences of both MiTM and MoTS attacks can be severe.
- Credential theft – Attackers may obtain employee login credentials which can then be used to access corporate systems such as email systems, cloud services, internal applications, and file servers
- Data Breaches – Sensitive information such as customer data, financial information, confidential documents, etc. may be intercepted during transmission.
- Business email compromise (BEC) – BEC is a major issue for most companies, as its the primary way an employee at a company communicates with other employees, and customers & suppliers. Intercepted communications can facilitate fraud and impersonation leading to huge financial losses.
- Malware distribution – Injected content may install malware throughout an organisation leading to further compromise, data loss, ransomware incidents, or system destruction
- Corporate espionage – Attackers may collect strategic information, trade secrets, or intellectual property for ransom, or other financial gain
- Reputational damage – Customers expect organisations to protect information. A successful attack can damage trust and brand reputation.
Warning signs of MitM or MotS activity
Possible indicators of MiTm or MoTS attacks include:
- Unexpected certificate warnings
- Website redirects
- Slow or unusual network behaviour
- Unrecognised Wi-Fi networks
- Repeated authentication prompts
- Unexpected software downloads
- Changes to website content
- Unusual DNS activity
While these signs do not guarantee an attack, they should be investigated.
How companies can prevent MitM and MotS attacks
Defending against these types of threats requires a defence in depth security strategy
- Use strong encryption on all communications – Organisations should enforce encrypted communications wherever possible, both internal and external. HTTPS and TLS encryption protect data in transit.
- Implement certificate validation – Users should be trained never to ignore certificate warnings. Invalid certificates should always be investigated.
- Use VPNs – Virtual Private Networks encrypt communications, particularly when using public networks. VPNs reduce the risk of interception.
- Secure wireless networks – Organisations should use strong Wi-Fi encryption, disable insecure protocols, and monitor for rogue access points
- Enable Multi-Factor Authentication – Even if credentials are intercepted, MFA provides an additional security layer.
- Implement DNS security – Technologies such as DNS filtering and DNSSEC help protect against DNS manipulation attacks.
- Maintain endpoint security – Modern endpoint protection tools can detect malware used to facilitate interception attacks.
- Conduct security awareness training – Employees should understand the risks associated with public Wi-Fi use, digital certificate warnings, phishing attacks, as well as other safe browsing practices. Human awareness remains a critical defence.
- Monitor network traffic – Security teams should monitor for unusual traffic patterns, suspicious DNS activity, unexpected certificates, and other network anomalies. Early detection can significantly reduce the impact of an attack.
The future of communication interception attacks
As encryption becomes more widespread, traditional interception attacks are becoming more difficult to conduct. However, attackers continue to evolve their techniques.
Modern threats increasingly focus on identity compromise, session hijacking, In-browser attacks, cloud services, and mobile device compromise.
Rather than breaking encryption directly, attackers often target the systems and users at either end of the communication.
Conclusion
Man-in-the-Middle and Man-on-the-Side attacks both involve attackers interfering with communications between trusted parties, but they do so in different ways. A Man-in-the-Middle attacker sits directly between the communicating parties and relays traffic, while a Man-on-the-Side attacker observes communications and injects malicious responses without fully controlling the communication channel.
These attacks can lead to credential theft, data breaches, malware infections, financial fraud, and corporate espionage. Because they exploit trust relationships and communication pathways, they can be particularly difficult to detect.
By implementing strong encryption, enforcing certificate validation, securing networks, deploying multi-factor authentication, monitoring traffic, and educating employees, organisations can significantly reduce their exposure to these threats. In a world where digital communications underpin nearly every business process, protecting the integrity and confidentiality of those communications remains a critical cyber security priority.