Man-on-the-side (MotS) attack

Man-on-the-side (MotS) is an attack in which an intruder intercepts messages transmitted over a digital communication channel and sends their own data packets in response. For example, the attacker can intercept a request to update an application and respond with a malicious version. However, they cannot modify or delete data sent by other network participants, which is the main difference between an MotS attack and a man-in-the-middle (MitM) attack. For a MotS attack to be successful, the attacker needs to deliver their response before the victim receives a legitimate one.

Man-on-the-side attack mechanism

A typical MotS attack goes as follows. The client (for example, a browser on a user device) sends a request to the server (for example, to open an HTML page or install an update). The attacker inspects the traffic between them, intercepts the request, and uses the data specified there (IP addresses, ports, etc.) to generate and send a fake response – for example, a page or update with malicious code. If the client receives this packet before the server’s legitimate response, the malicious page or update is loaded. The legitimate response is then commonly discarded. In some cases, however, the attacker has to terminate the connection before the client receives a legitimate response.

The danger of MotS

Cybercriminals can use MotS to:

  • Redirect the user to their own website (including as part of a sophisticated attack).
  • Initiate the download of a malicious file instead of the file the user wants.
  • Run a malicious script on the user’s device, for example, to deploy it in a DDoS attack.

MotS can be used in other malicious ways too.

Examples of MotS attacks

  • The LuoYu APT group used MotS to distribute the WinDealer. The cybercriminals intercepted a request to update a legitimate application, and delivered spyware to the user in response.
    That same malware used MotS to communicate with the command and control (C2) server, sending requests to random (including non-existent) IP addresses; the attackers intercepted the requests and responded to them. In this way, they kept the real address of the C2 server hidden.
  • MotS was employed in a DDoS attack on GitHub. Instead of the page they requested, random users surfing the web were presented with a page containing malicious JavaScript code. This script forced the victim’s browser to constantly update two specific pages on GitHub, thus participating in the DDoS attack.
  • The MotS technique has also been used by the US National Security Agency, in particular – to deliver malware to user devices.

Related Posts