This forum thread needs a solution.
Kudos0

Man-in-the-middle attack detected by Norton

Posted: 12-May-2021 | 8:38AM · 7 Replies ·

Hi all,

Hope everyone has been well! I saw this in my logs recently and got a huge scare - 

The gateway physical address is my router address and SSID is that of my home Wifi. The thing is, I did not receive any pop-up about it (or perhaps I was distracted) and around 1 hour later Norton had a pop-up for the same SSID - 

So I googled about MiTM attacks and ARP spoofing, but it does not seem to tell me how I could possibly detect if the attack is still going on, and if it is, how I could possibly stop it. I'm assuming that this Scan Time of 6s Norton is reporting means the attacker got hold of my packets for 6 seconds..? Would appreciate any advice on how I could possibly check on this, and to know if the attack is still ongoing! I am currently still connected to this network as it is the only one I have to be able to access the internet, but I have connected and disconnected from it many times and haven't received this pop up again. Would appreciate any thoughts on this, thank you!

EDIT: The thing is, I just found out that my mum had been tampering with the wires connected to my routers and the optical network fibres because she was trying to shift the television around  Now I have intermittent connection on my mobile using Wifi, and I am unable to access my router's homepage like I normally can. It's a lot to take in all at once... 

Labels: Norton 360, Threat Detection

Replies

Kudos0

Re: Man-in-the-middle attack detected by Norton

Posted: 12-May-2021 | 4:17PM · Permalink

Sounds like the man-in-the-middle might have been a woman - your mother. Do you think that moving the cables around could have been a cause?

Kudos1 Stats

Re: Man-in-the-middle attack detected by Norton

Posted: 12-May-2021 | 8:16PM · Permalink

Hello, thanks for the response. Frankly, I am not sure, but it seems like the only out-of-ordinary thing that happened, and especially since it disrupted my internet connection. My primary concern would be - how can I be sure that the man-in-the-middle attack has ceased, and what does the 6s scan time in Norton history mean?

Kudos2 Stats

Re: Man-in-the-middle attack detected by Norton

Posted: 13-May-2021 | 6:15AM · Permalink

You probably have already read this article from Norton from your search but it is a good explanation so I will include it here.

https://us.norton.com/internetsecurity-wifi-what-is-a-man-in-the-middle-...

My own opinion for what it is worth is that you are not in any danger. I am not sure about the 6 seconds of scan time but I do not think it means that someone had that time to steal info. The alert does say "no attention required" so I assume it prevented what it thought might be an attack. However, I still feel that your mom's meddling with the connections had something to do with this as the popup says something about linking an unauthorized MAC address with your IP address.

Yes you should monitor your history and keep an eye on this and report back here if you find something else and also report back if nothing is found. Stay safe and I salute you for your attention to cyber security.

Kudos0

Re: Man-in-the-middle attack detected by Norton

Posted: 13-May-2021 | 6:26AM · Permalink

The 6 second scan time is the time Norton spent scanning your network for vulnerabilities. Nothing to do with someone else scanning your system.

Kudos0

Re: Man-in-the-middle attack detected by Norton

Posted: 14-May-2021 | 9:30PM · Permalink

Hi all, some updates - I've gotten a technician to come down and fix the Wifi so I'll be monitoring the connection for the next few days, BUT after the tech guy left I realised Norton history logged another MiTM attack before he came, this time on my other router, send help! The thing is, why does Norton not give any pop-ups about these attacks and simply log them as security history? Thought these sort of attacks would be considered important enough to notify the user - it does say high severity afterall.

I have changed the login passwords to the routers, and I will be monitoring this issue for the next few days to see if these attacks continue to happen, but just wanted to know if there are any other additional precautions that I can take on these attacks to prevent them from happening again? I am certainly hoping that no attacker has managed to get hold of any information and Norton managed to block them seeing no action is required..?

Appreciate any advice, thank you in advance!

Kudos0

Re: Man-in-the-middle attack detected by Norton

Posted: 15-May-2021 | 4:35AM · Edited: 15-May-2021 | 4:36AM · Permalink

I think you are doing the things necessary to solve this issue such as changing passwords, having the technician check the wiring and monitoring your system. 

If your routers have administrative options you should also shut off remote access and prevent new devices from accessing your network. You will need to search your router's website for instructions as to how to go into that admin area. You usually login to your router from a browser.

As far as the Norton message it does say no action required and I do have medium and high log entries in my history that I also do not receive popus for but they also say no action required. I would assume you would get a popup if it did require attention. These entries are harmless notifications that some piece of software was trying to access Norton but nothing very grave.

You should also use a VPN and HTTPS for the encryption they provide.

Kudos0

Re: Man-in-the-middle attack detected by Norton

Posted: 31-May-2021 | 10:59PM · Permalink

Hi! First of all, it's very improtant to recognize MITM-attack or not. Hope that this article would be helpful for you

2nd - shut off remote access to your router throw admin panel. Check the logs also

Take care!

This thread is closed from further comment. Please visit the forum to start a new thread.