{ "id": "92ffb66f-3e5c-4d9e-b904-12ed816f1bb7", "created_at": "2026-04-06T01:30:30.603963Z", "updated_at": "2026-04-10T03:20:17.788962Z", "deleted_at": null, "sha1_hash": "9e74f457d66c4d840df983272169dc81ea99966a", "title": "Man-in-the-middle attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37119, "plain_text": "Man-in-the-middle attack\r\nBy Kaspersky\r\nPublished: 2017-08-10 · Archived: 2026-04-06 01:27:41 UTC\r\nDuring a man-in-the-middle (MitM) attack, threat actors gain access to a communication channel between\r\nlegitimate parties (such as users, applications or network devices), allowing the perpetrators to view, delete or\r\nmodify any message sent.\r\nMan-in-the-middle attack mechanism\r\nThere are different ways to gain access to a communication channel. For example, an unscrupulous post office\r\nemployee might exploit their position to open letters and parcels (an offline MitM attack).\r\nWith regard to network communications that attackers do not have access to by default, they can:\r\nHack a service or device that does have access – such as a router.\r\nMimic a legitimate participant in the information exchange, such as an app, website, VPN server or access\r\npoint.\r\nAttackers can use the following methods to direct victims’ traffic through their own resources:\r\nUsing fake access points: attackers create passwordless Wi-Fi access points and/or access points with\r\nnames similar to legitimate ones. If victims unwittingly connect to these, all their internet traffic will pass\r\nthrough the attackers’ device.\r\nARP spoofing (ARP poisoning): attackers broadcast over the local network the mapping between the IP\r\naddress of a legitimate device and the MAC address of their own device. This attack is opted for if the\r\nperpetrators have access to the victim’s local network.\r\nDNS spoofing: attackers change the DNS cache (records that map domain names (website addresses) to the\r\nIP addresses of the servers on which these sites are located) on a router or vulnerable DNS server, mapping\r\ndomain names to attacker-controlled IP addresses. If users try to open the corresponding site in their\r\nbrowser, they are directed to a malicious copy that is often indistinguishable from the original.\r\nURL spoofing: attackers create fake resources with URL addresses similar to those of legitimate sites. If a\r\nuser opens the fake site instead of the legitimate one, the attackers can act as an intermediary between the\r\nuser and the legitimate site.\r\nWhy man-in-the-middle attacks are dangerous\r\nAn attacker with full access to a victim’s communication channel can:\r\nRead, modify and delete messages.\r\nSteal confidential information such as payment card details, account credentials and correspondence.\r\nView, delete and spoof files, including substituting downloadable apps with malicious versions.\r\nhttps://encyclopedia.kaspersky.com/glossary/man-in-the-middle-attack/\r\nPage 1 of 2\n\nRelated products\r\nKaspersky Premium\r\nKaspersky VPN\r\nKaspersky Fraud prevention\r\nRelated Posts\r\nSource: https://encyclopedia.kaspersky.com/glossary/man-in-the-middle-attack/\r\nhttps://encyclopedia.kaspersky.com/glossary/man-in-the-middle-attack/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://encyclopedia.kaspersky.com/glossary/man-in-the-middle-attack/" ], "report_names": [ "man-in-the-middle-attack" ], "threat_actors": [], "ts_created_at": 1775439030, "ts_updated_at": 1775791217, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9e74f457d66c4d840df983272169dc81ea99966a.pdf", "text": "https://archive.orkl.eu/9e74f457d66c4d840df983272169dc81ea99966a.txt", "img": "https://archive.orkl.eu/9e74f457d66c4d840df983272169dc81ea99966a.jpg" } }