An adversary-in-the-middle (AitM) phishing attack is when a malicious actor stands between you and the web server you are communicating with and intercepts the information you are sending by stealing your session cookies.
What is a session cookie?
Session cookies are small text files that act like your keys to a website. When you log in to your online banking or social media accounts, the website gives you a unique cookie that stores your data temporarily. This cookie is stored in your browser for as long as you are logged in, and is automatically sent with every request you make to that website. So, if you are browsing different pages on the same website or submitting a form, you don't have to re-enter your password every time. The session cookie also disappears the moment you log out or end your session.
Enter the cookie thief
In an AitM attack, the attacker positions themself between you and the website you are trying to access by creating a proxy site and tricking you into entering your credentials on it. Then they take this information to communicate with the actual website and steal the session cookies the actual website generates.
Attackers can also get access to your session cookies by gaining access to your network. Using unsecured public Wi-Fi hotspots, or not enabling security mechanisms on your router, makes you vulnerable to AiTM attacks. Attackers can also exploit vulnerabilities in websites or your browser to redirect your traffic through their own malicious server.
What happens when the cookie is stolen?
Once the attacker has your session cookie, they can access your account and carry out fraudulent transactions, steal data, or take over your account.
AiTM phishing attacks like these are quite complex and can beat some strong defences. But there are some basic steps you can take to mitigate the risks.
- Watch out for phishing: Phishing is usually the gateway for cyber criminals to launch other forms of cyber attacks. AiTM phishing attacks commonly start with messages that trick you into clicking on malicious links. Learn what phishing looks like and do not click on links you do not trust.
- Keep your software updated: Regularly update your operating system, browser, and other software to patch security vulnerabilities.
- Avoid public Wi-Fi, and if you must use public Wi-Fi, use a Virtual Private Network (VPN) to encrypt your traffic.
- Use HTTPS websites: Look for the padlock icon in your browser's address bar. If you can see this, it means the website uses encryption to protect your data in transit.
Enable multi-factor authentication (MFA)
While some AiTM attacks can try and circumvent two-factor authentication, having MFA on your accounts is still the best defence against cybercrime. There are also phishing-resistant MFA methods such as security keys that won’t let attackers access your account even if they steal your session cookies.