Cyber Insurance Blog

What Are Adversary-in-the-Middle (AiTM) Attacks?

Do you remember the playground game Monkey in the Middle? What if the “monkey” had a way to grab the ball without anyone realizing it?

Essentially, adversary-in-the-middle (AiTM) attacks are phishing scams that allow cyber criminals to do just that. But the intercepted “ball” is access to online accounts that can lead to costly data breaches and business email compromise (BEC).

Small-business owner enters her username and password into a website vulnerable to adversary-in-the-middle (AiTM) attacks.

In July, Microsoft announced it had tracked and analyzed a large-scale AiTM campaign that targeted more than 10,000 organizations since September 2021. The attacks successfully “stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA).”

We at ProWriters want brokers to stay informed about developments in cyber security so they can help their clients appreciate the need for robust cyber risk management and Cyber Liability Insurance.

Read on for more information about AiTM attacks and how your clients can guard against them.

How Adversary-in-the-Middle (AiTM) Phishing Scams Work

Two-factor and multifactor authentication are generally effective, though underutilized, cyber security controls. But adversary-in-the-middle attacks, or man-in-the middle (MiTM) attacks, allow cyber criminals to avoid this extra authentication layer.

AiTM or MiTM attacks start when cyber criminals contact a target via phishing emails or text messages. These communications lead the target to a website to enter their username and password.

This site is hosted on the criminals’ proxy server. It imitates every aspect of the authentic site. It may be indistinguishable except in its URL, a difference the target may not notice.

Hands typing on laptop computer keyboard overlaid with transparent graphic illustrating two-factor and multifactor authentication.

When targets enter credentials, the proxy server relays those credentials to the legitimate site. The real site returns a two-factor or multifactor request for authenticating user identity. The malicious server proxies this request to the target, who enters additional authenticating information.

The criminals’ server sends the information to the authentic site, which returns a session cookie. Session cookies are server-specific files that temporarily store data in a browser to allow easier navigation and faster page loading. They normally disappear when a user closes a browser.

But thanks to their proxy server, the cyber criminals now possess a genuine session cookie and genuine credentials. The criminals can access the target’s online account directly, bypassing the two-factor or multifactor authentication method.

Once inside the account, bad actors are free to not only access and steal data but also launch BEC attacks. “Business Email Compromise, the endgame in this attack,” security researcher Sharon Nachshony told IT professional network Spiceworks, “has been used historically to siphon hundreds of thousands of dollars from single organizations.”

How Businesses Can Stay On Guard Against AiTM Attacks

Your business and organization clients can adopt several best practices to combat AiTM or MiTM attacks.

Insurance broker smiles as he sits at desk and uses laptop computer to review Cyber Insurance policies for his clients.

Strong encryption on wireless access points and other endpoints helps keep any information criminals may get incomprehensible to and unusable for them.
Virtual private networks (VPNs) can make stealing sensitive information from a network more difficult.
Enforced HTTPS can stop attackers from using any data they may get.
Public key authentication can foil a malicious proxy server’s connection to a legitimate website.

Don’t stop using multifactor authentication just because some criminals have ways to avoid it. As Microsoft stated, the success of AiTM MFA bypass “depends entirely on whether or not the phishing target is literate in the basics of cyber security and … can identify a phishing page from a legitimate one.”

As with all forms of social engineering, then, aware and educated personnel are your clients’ first line of defense against AiTM attacks. Network users must:

Refrain from clicking links in emails unless they know the email is from a trusted sender and the link is legitimate. When in doubt, test the link in a link-checking website.
Log in directly to online accounts rather than through links in email, especially if the email claims some problem requires urgent attention. Such emails prey on readers’ tendency to panic. If an actual problem exists, you’ll be able to find and resolve it after logging in through the home page.
Exercise caution with email attachments. Don’t open attachments from unfamiliar senders. Even if the email appears legitimate, contact the supposed sender first and verify they sent the attachment. (Don’t use email addresses or phone numbers in the email, lest you end up communicating with the hacker.)

Help Your Business Clients Manage All of Their Cyber Risks

Alerting your business clients to the dangers AiTM attacks pose is an important way to help them manage cyber risk. Finding the right Cyber Liability Insurance policies for them is even more critical.

In 2021, the average annual cost of phishing scams, such as AiTM or MiTM attacks, climbed to nearly $15 million. Companies spent almost $6 million annually recovering from BEC.

Cyber Liability Insurance can cover the steep expenses businesses face in the wake of an incident. And registered ProWriters brokers can use our innovative platform for gathering multiple Cyber Insurance quotes from top insurance companies for side-by-side comparison.

To find out more, schedule a time to talk with us, or call (484) 321-2335.