Adversary in the Middle (AiTM)

If you want to send someone a letter, you write the letter, put it in an envelope, address the envelope, and then drop it at a mailbox.

Computers send data instead of letters, but the process of getting data from point A to point B on the internet is actually pretty similar conceptually to how mail travels by post to its destination. Letters go in envelopes and are taken to a mailboxes, while data gets put into packets and sent to a gateway.

But what if someone stood up a fake mailbox? They could collect mail from a bunch of people and read everything, including sensitive information-- but it wouldn't take long for the postal service to realize people's mail wasn't being intercepted. So instead, the owner of the fake mailbox could copy the letters and then drop them off at a real mailbox. That would allow them to go a lot longer without being detected.

Something similar can happen on a computer network-- someone can stand up a fake gateway and trick computers into sending data to them instead of the real gateway. With a fake gateway the impostor could stop people from getting online, but that would lead to them being discovered rather quickly. So instead they can pass all the traffic through to the real gateway, but record it first. This let's them read it later, a time of their choosing.

This kind of impostor is called an Adversary in The Middle (AiTM) or Man In the Middle (MiTM), which is an older term. Local AiTM attacks occur when someone stands up a fake gateway or, more commonly, a fake wireless router.

When you go to a hotel, the hotel offers free WiFi. So you get to your room and select the hotel's WiFi network and log in. How do you know what you're logging into is the hotel's wireless access point? You really can't. And it wouldn't be all that hard for someone to stand up a fake copy of the hotel network and trick people to logging in. The same thing happens at convention centers, airports, etc.

And this kind of thing happens--in 2025 Michael Clapsis was convicted of impersonating the public WiFi at Australian airports and on multiple flights, tricking travelers into connecting to him instead of the real network. He got caught because airports have hightened security. But he might have been able to get away with it at hotels, coffee shops, or other public spaces.

Impersonating a gateway or wirlessless router can be incredibly effective but it only works on people in close proximity to the attacker. But malicious links allows someone to become an AiTM against anyone on the internet, making them far more dangerous and far more common.

Someone creates a fake copy of a real web page, and then sends out lots of links to that fake page, but makes the links look real. These fake links can be placed in emails, inserted into web pages, social media posts, forums, comments, etc. But everyone who clicks on the link is taken to fake look-alike page instead of the real one.

Imagine if someone made a fake copy of a bank or credit card company's web site. They could trick people into entering their username and password for accounts directly tied to financial resources. The impersonator could copy those credentials and send them to the bank as if were the victim trying to login. When the bank responds with a challenge question or requests a 2FA code, the impersonator pass that requests back to the victim and copies their response. This allows the impersonator to steal passwords and bypass MFA protection.