Man-on-the-side – peculiar attack

What is a man-on-the-side attack, and how does it differ from a man-in-the-middle attack?

How a man-on-the-side attack works

There are attacks that everyone’s heard of, like distributed denial-of-service (DDoS) attacks; there are those that mostly only professionals know about, such as man-in-the-middle (MitM) attacks; and then there are the rarer, more exotic ones, like man-on-the-side (MotS) attacks. In this post, we talk about the latter in more detail, and discuss how they differ from man-in-the-middle attacks.

A who-on-the-where attack?!

So, how does a man-on-the-side attack work? Basically, a client sends a request to a server via a compromised data-transfer channel. This channel isn’t controlled by the cybercriminals, but it is “listened to” by them. In most cases such an attack requires access to the Internet provider’s hardware, and this is a very rare thing – and that’s why man-on-the-side attacks are in turn rare. These types of attacks monitor the client’s requests and generate their own malicious responses.

A man-in-the-middle attack works in a similar way. The attackers also tap into the data-transfer process between the client and the server. The main difference between these two types of attacks is that the man-on-the-side client’s request reaches the recipient (the server). Therefore, the goal of the attackers is to respond to the client’s request faster.

As for man-in-the-middle, the attackers has a greater level of control over the data transfer channel. They intercept the request, and can modify or delete data sent by other users on the network. Thus, they have no need to outrun the server’s response.

However, a man-in-the-middle is a much more invasive attack than a man-on-the-side one. And that means it’s easier to spot. We described in more detail how a man-in-the-middle attack works, based on an example with… Little Red Riding Hood in this post!

OK, but how does a man-on-the-side attack work?

A successful man-on-the-side attack makes it possible to send fake responses to various types of requests to the victim’s computer, and in this way to:

  • Replace a file the user wanted to download. In 2022, for example, APT group LuoYu delivered WinDealer malware to devices of victims most of whom were diplomats, scientists, or entrepreneurs in China. A request was sent to the server to update legitimate software, but the attackers managed to send their own patch version, complete with malware;
  • Run a malicious script on the device. According to the Electronic Frontier Foundation this is exactly how in 2015 the Chinese government tried to censor well-known open source community GitHub. The attackers used a man-on-the-side to deliver malicious JavaScript to browsers of unsuspecting users. As a result, these browsers refreshed GitHub pages over and over again. This DDoS attack lasted more than five days and significantly hampered the service;
  • Redirect the victim to the website.

On a side note, intelligence agencies in various countries are also suspected of using this type of attack.

Means of protection

We’ll repeat once again that man-on-the-side attacks are quite rare. Attackers need to have access to the provider’s hardware in order to carry them out. Therefore, business trips, work conferences or any other occasions when your employees connect to questionable Wi-Fi are high-risk situations. To stay safe, we recommend always working via a VPN, and using a strong security solution on all employee work devices.