Adversary-in-the-middle fraud (AiTM) represents a significant, ongoing challenge for businesses, with tactics like email hijacking, AI attacks and account takeovers becoming increasingly complex. These tactics are also being employed more often, with threats spanning physical and digital domains. According to Microsoft’s annual Digital Defense report, Microsoft observed a startling 146% increase in AiTM attacks alone in 2024.
These threats often target high-value industries that rely on secure digital transactions and data privacy, such as financial services, marketplaces, mobility/transportation and online gaming, where the impacts can be significant, encompassing major financial losses and a decline in user trust. As this threat expands, it becomes increasingly critical for businesses to leverage advanced expertise and tooling designed to protect against increasingly sophisticated threats.
Adversary-in-the-Middle Attacks Defined
AiTM fraud exploits vulnerabilities in systems and people. In an attack, cybercriminals intercept, relay, or alter the communication between two parties without their knowledge while giving the impression of direct communication. Many of the most common practices of this technique include Address Resolution Protocol (ARP) poisoning, phishing, Wi-Fi eavesdropping, session hijacking, IP spoofing and DNS spoofing.
Here’s what typically happens with each of these attacks:
- Address Resolution Protocol (ARP) poisoning is a method hackers use to send a network with falsified Address Resolution Protocol (ARP) messages to tamper with the usual traffic routing process.
- Phishing involves deceiving individuals into revealing personal information such as login credentials, credit card numbers, or other sensitive data.
- Wi-Fi Eavesdropping occurs when malicious actors exploit insecure or vulnerable networks to read or steal data as it travels between two devices.
- Session hijacking involves a legitimate user authenticating an application and obtaining a session token or cookie to initiate a bank withdrawal or extract personally identifiable information (PII, like birthdates, addresses and transaction histories.
- IP Spoofing grants an attacker the ability to replace a packet header’s source IP address with a fake IP address.
- DNS Spoofing is when a hacker substitutes the address of a valid website with an impostor, enabling them to steal valuable information.
One of the most recent examples of an AiTM attack is the attack on Microsoft 365 with the PhaaS toolkit Rockstar 2FA, an updated version of the DadSec/Phoenix kit. In 2024, a Microsoft employee accessed an attachment that led them to a phony website where they authenticated the attacker’s identity through the link. In this instance, the employee was tricked into performing an identity verification session, which granted the attacker entry to their account.
AiTM persists in digital and physical forms. Digital AiTM fraud is gaining traction due to advances in phishing techniques and AI-driven attacks. In contrast, physical AiTM fraud has expanded and is driven by opportunities such as sign-up bonuses and rewards.
Industries Feeling the Brunt of AiTM Fraud & Factors Fueling the Increase
As more businesses move online, from banks to critical services, fraudsters are more tempted by new targets. The challenges often depend on location and sector, but one thing is clear: Fraud operates without limitations. In the United States, AiTM fraud is progressively targeting financial services, e-commerce and iGaming.
For financial services, this means that cybercriminals are intercepting transactions or altering payment details, inducing hefty losses. Concerning e-commerce and marketplaces, attackers are exploiting vulnerabilities to intercept and modify transactions through data manipulation, redirecting payments to their accounts. Then, in gaming, attackers undermine players’ trust by compromising a user’s accounts and exploiting in-game purchases, rewards, or assets.
As fraud detection technology improves, attackers are now focusing on exploiting the weakest links in security systems. This often involves manipulating legitimate users. A few other factors driving the surge in AiTM fraud include:
- Fraudsters continue to weaponize AI. Three-quarters of U.S. decision-makers (78%) have seen an increase in the use of AI in fraudulent attacks over the past year.
- Businesses have their unique weak spots that attackers exploit. These vulnerabilities have created a fertile ground for sophisticated fraud schemes and AI-driven attacks.
- Advancing sophistication of attacks. With advanced technologies, attackers can now bypass multi-factor authentication (MFA) and other security measures. The result of this is that they are more effective and more challenging to detect.
Five Strategies to Effectively Combat AiTM Fraud
Addressing the complex and evolving nature of AiTM fraud demands a tailored, data-driven, ecosystem-based approach. Below are five strategies to safeguard against AiTM fraud:
- Strengthen Email Protections: Implement advanced email filtering systems to quarantine phishing attempts and malicious attachments. This proactive measure allows administrators to manage potential threats effectively and reduces the risk of successful phishing attacks.
- Enhance Access Security: Enable multi-factor authentication (MFA) to add an extra layer of security. While MFA is a strong defense, it is crucial to choose more secure methods, such as app-based or hardware token authentication, over SMS-based MFA, which can be vulnerable to interception.
- Combine MFA with Biometric Authentication: To enhance security further, integrating biometric verification ensures that the person accessing the account is the legitimate user. This additional layer of authentication creates a strong barrier for fraudsters, as even if they obtain login credentials and MFA codes, they would still need a biometric match to gain access.
- Threat Intelligence Sharing: Engage in threat intelligence sharing with industry peers and cybersecurity organizations. Businesses can enhance their defenses and avoid potential fraud attempts by collaborating and sharing insights about emerging threats and attack vectors.
- Regular Security Audits and Penetration Testing: Conduct regular security audits and penetration testing to identify vulnerabilities within the system. This proactive approach allows businesses to address weaknesses before they can be exploited by attackers.
As technology advances and fraud continues to evolve with it, we face the persistent challenge of increased fraudster sophistication, threatening businesses of all sizes. To proactively mitigate the ongoing threats, a holistic approach is needed, including a combination of education, tailored solutions and real-time intelligence to safeguard customers. Staying abreast of threats and vulnerabilities will empower your business to innovate, continuously adapt to evolving threats and adopt a strategy that is effective at protecting systems and users.