The Phishing Guide Part 2 : Man-in-The-Middle

For a Phishing attack to be successful, it must use a number of methods to trick the customer into doing something with their server and/or supplied page content. There are an ever increasing number of ways to do this. The most common methods are explained in detail below, will include:

Man-in-the-middle Attacks

• URL Obfuscation Attacks

• Cross-site Scripting Attacks

• Preset Session Attacks

• Observing Customer Data

• Client-side Vulnerability Exploitation

I will go into more deatil about others in anouther post but today we are going to learn how to do Man-in-the-Middle attack

Man-in-the-middle Attacks One of the most successful vectors for gaining control of customer information and resources is through man-in-the-middle attacks. In this class of attack, the attacker situates themselves between the customer and the real web-based application, and proxies all communications between the systems. From this vantage point, the attacker can observe and record all transactions. This form of attack is successful for both HTTP and HTTPS communications. The customer connects to the attackers server as if it was the real site, while the attackers server makes a simultaneous connection to the real site. The attackers server then proxies all communications between the customer and the real web-based application server – typically in real-time. In the case of secure HTTPS communications, an SSL connection is established between the customer and the attackers proxy (hence the attackers system can record all traffic in an unencrypted state), while the attackers proxy creates its own SSL connection between itself and the real server.

For man-in-the-middle attacks to be successful, the attacker must be able to direct the customer to their proxy server instead of the real server. This may be carried out through a number of methods:

• Transparent Proxies

• DNS Cache Poisoning

• URL Obfuscation

• Browser Proxy Configuration

Transparent Proxies

Situated on the same network segment or located on route to the real server (e.g. corporate gateway or intermediary ISP), a transparent proxy service can intercept all data by forcing all outbound HTTP and HTTPS traffic through itself. In this transparent operation no configuration changes are required at the customer end.

DNS Cache Poisoning

“DNS Cache Poisoning” may be used to disrupt normal traffic routing by injecting false IP addresses for key domain names. For example, the attacker poisons the DNS cache of a network firewall so that all traffic destined for the MyBank IP address now resolves to the attackers proxy server IP address.

URL Obfuscation

Using URL obfuscation techniques, the attacker tricks the customer into connecting to their proxy server instead of the real server. For example, the customer may follow a link to instead of

Browser Proxy Configuration

By overriding the customers web-browser setup and setting proxy configuration options, an attacker can force all web traffic through to their nominated proxy server. This method is not transparent to the customer, and the customer may easily review their web browser settings to identify an offending proxy server. In many cases browser proxy configuration changes setting up the attack will have been carried out in advance of receipt of the Phishing message.


Everything contained within this website is strictly provided for entertainment purposes only.


The website owner does not support ANY information posted on this website.

Nothing contained within this site should be construed as legal, medical, or any other professional advice, on any subject matter. does not assume and hereby disclaims any liability to any party for any loss, damage, or disruption caused by errors or omissions, whether such errors or omissions result from accident, negligence, or any other cause. You are taking full responsibility for your actions.  A visitor to this site uses the site at his or her own risk.

No Comments Yet

Leave a Reply

Your email address will not be published.