Man-in-the-middle attacks are cyberattacks where hackers intercept and eavesdrop on communications between two online targets to steal sensitive information like credit cards, usernames, and passwords. Here are the most common methods used on public networks:
1. Rogue Hotspots (Evil Twin Networks)
What It Is
-
Hacker creates a malicious Wi-Fi access point nearby with a name similar to legitimate networks
-
Often uses names like “FreeWiFi_Nairobi” (vs. real “CafeWiFi_Nairobi”) or generic “Free Public Wi-Fi Network”
How It Works
-
Attacker sets up Wi-Fi hotspot in airports, restaurants, or city centers
-
Network name mimics nearby businesses or trusted public connections
-
Users connect thinking it’s legitimate
-
Attacker collects all data passing through: credit cards, usernames, passwords
Why It’s Dangerous
-
Users don’t need password to connect (open network)
-
If authentication required, hacker captures login credentials during registration
-
1 in 4 public Wi-Fi hotspots in Nairobi remains unsecured
2. ARP Spoofing (ARP Cache Poisoning)
What It Is
-
Address Resolution Protocol (ARP) connects IP addresses with MAC addresses on local networks
-
Attacker sends falsified ARP packets containing false MAC address information
How It Works
Advanced Techniques
-
Hijack default gateway: Specify own device as gateway, redirecting ALL network traffic
-
Modify DNS servers: Replace legitimate DNS with attacker’s address to execute DNS spoofing
Requirements
-
Attacker must be on same LAN as victim (hotel LANs, public WiFi at risk)
3. DNS Spoofing (DNS Hijacking)
What It Is
-
Domain Name System (DNS) connects website domain names to IP addresses
-
Attacker changes DNS records to redirect users from legitimate sites to fraudulent ones
How It Works
Example
-
User types
google.com→ redirected to fake Google login page -
User enters password → attacker steals credentials
4. HTTPS Spoofing (SSL Stripping)
What It Is
-
HTTPS encrypts data between user and website
-
Attacker secretly routes users to unencrypted HTTP page instead
How It Works
Why It Works
-
Many users don’t notice “http” vs “https” in URL
-
Some sites automatically downgrade to HTTP for faster loading
5. SSL Hijacking (SSL Certificate Spoofing)
What It Is
-
SSL provides authentication and encryption using SSL certificates
-
Attacker uses fake SSL certificate to hijack encryption process
How It Works
Warning Signs
-
Browser shows “Certificate not trusted” or SSL warning
-
User ignores warning and enters credentials
6. Wi-Fi Eavesdropping
What It Is
-
Attacker creates public Wi-Fi hotspots in popular locations (airports, restaurants, city centers)
-
Compromises legitimate public Wi-Fi hotspots used by public
How It Works
Data Intercepted
-
Credit card numbers
-
Usernames and passwords
-
Personal details
-
Financial information
7. DHCP Spoofing
What It Is
-
DHCP (Dynamic Host Configuration Protocol) allocates IP addresses on networks
-
Attacker sets up fake DHCP server to control IP address allocation
How It Works
Requirements
-
Attacker must be on same LAN as victim
-
Hotel LANs and public WiFi networks are at risk
Attack Method Comparison
Prevention: How to Protect Against MITM Attacks
For Users
✅ Use a trusted VPN – Encrypts all traffic, prevents interception
✅ Avoid public Wi-Fi for banking/shopping – Use mobile data or secure networks
✅ Verify network authenticity – Confirm exact SSID name with venue staff
✅ Check for HTTPS – Only enter credentials on “https://” sites
✅ Don’t ignore SSL warnings – If browser shows certificate error, don’t proceed
✅ Enable 2-factor authentication – Blocks unauthorized access even if password stolen
✅ Turn off auto-connect – Prevent device from joining networks automatically
For Network Administrators
✅ Implement network segmentation (VLANs) – Separate guest from internal traffic
✅ Enable client isolation – Prevent guests from accessing other guests
✅ Use WPA3/WPA2 encryption – Never use WEP or open networks
✅ Deploy captive portal with authentication – Require login before access
✅ Monitor network activity – Detect unusual traffic patterns
✅ Keep firmware updated – Prevent vulnerability exploitation
Bottom Line
MITM attacks are a growing threat, especially in Nairobi where 1 in 4 public Wi-Fi hotspots remain unsecured. The most common methods—rogue hotspots, ARP spoofing, DNS spoofing, and SSL stripping—can intercept passwords, financial data, and personal information.
Protecting your data isn’t optional—it’s your first line of defense. Use VPN, verify network authenticity, avoid sensitive transactions on public Wi-Fi, and always look for HTTPS.