Evil twins aren’t just the stuff of horror movies. In the online world, they can steal your sensitive details while you browse on public Wi-Fi and in some cases they hack and spy on your via your private server.
What is an evil twin attack?
An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a legitimate access point to steal victims’ sensitive details. Most often, the victims of such attacks are ordinary people like who do not know how to look out for suspicious connections. These people can be quite sophisticated in their operations.
The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is used to eavesdrop on users and steal their login credentials or other sensitive information. Because the hacker owns the equipment being used, the victim will have no idea that the hacker might be intercepting things like bank transactions. If they intercept it then they have access to your money.
Some people are taught to believe this can only happen at a public connection. Nothing should be further from the truth. This can happen at your private connections as well. Via an evil twin you can be hacked and shown information strictly tailored for your viewing.
An evil twin access point can also be used in a phishing scam. In this type of attack, victims will connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once the hacker gets them, they might simply disconnect the victim and show that the server is temporarily unavailable. But in most cases they do not. Some stay connected to the person for a very long time. They know everything the person look at or do online.
Evil twin attack example:
The most common evil twin attack scenario you may come across in the wild is one with Captive Portals. Many public Wi-Fi networks use web pages that require your login details to connect you to the internet. The goal of this attack is to fool the victim into giving their authentication details for a legitimate Wi-Fi network. Once the hacker has these details, they can log into the network, take control of it, monitor unencrypted traffic, and perform other MITM attacks. Let’s delve deeper into what happens at every step of this attack.
Step 1: hacker sets up a fake wireless access point or connects to your ISP provider so that you and them are on the same server.
A hacker chooses a public place that has many hotspots, such as your local Starbucks or an airport. Such places usually have multiple Wi-Fi access points with the same name. It’s good if you are walking around the building and don’t want to lose your connection, but it also makes the hacker’s job much easier when it comes to creating a fake hotspot with the same Wi-Fi name.
Now the bad actor can use anything from a network card, tablet, or laptop to a portable router or a Wi-Fi Pineapple (if they need more range) to create a hotspot. It’s pretty easy! Just think about the last time you used your phone as a hotspot to share a connection with your other devices or your friends. That’s exactly what a hacker does; however, they use the same Service Set Identifier (SSID) name, also known as simply the Wi-Fi name, as the legitimate one does.
Why does this matter? Because computerized devices are machine and most devices aren’t clever enough to distinguish between a legitimate and a fake access point if they have the same SSID. (Some hackers can go as far as cloning the MAC address of the trusted network.) That’s why it’s called an evil twin!
Step 2: hacker creates fake Captive Portal
If you’ve ever used public Wi-Fi, you have probably seen a Captive Portal page. They usually either ask for some basic information about you or prompt you to enter Wi-Fi login and password. The problem with Captive Portals is that there’s no standard on how they should look, and they are usually poorly designed.
Those who use public Wi-Fi are so used to them being this way that it’s hard to tell the difference between a legitimate page and a fake one. Unfortunately, if you come across the latter, it will send your details straight to the hacker.
Hackers might miss this step if they are setting up an evil twin where Wi-Fi network is open and thus doesn’t have a captive portal. If the legitimate Wi-Fi has a password, faking a captive portal helps the hacker to get login details and connect to the network.
Step 3: hacker makes victims connect to evil twin Wi-Fi
What is an evil twin attack?
Now that the hacker has a hotspot and a captive portal, they need to make people ditch the legitimate connection and connect to theirs. This can be done in two ways:
Step 4: hacker steals login details
If the evil twin has a fake captive portal, the user will be directed straight to the login page when they click on the new network. They will be required to enter the same login details they used the first time they connected to a legitimate network.
They create a stronger Wi-Fi signal by positioning themselves closer to their victims, which will result in nearby devices automatically connecting to the evil twin.
They kick everyone off the main network by DoSing them, or by flooding them with deauthentication packets. The devices connected to the legitimate network will be disconnected, which will lead users back to their Wi-Fi connection page.
Now they will see a new network with an identical name, which most likely will state ‘Unsecure’. This will set off alarm bells for security-aware users, but many people will simply brush it off. This method might not work in an office environment, where it would raise suspicion.
This time round, however, they are sending these details to the hacker. Now that the hacker has them, they can monitor network traffic and what you do online. If you tend to use the same login details for all your accounts, the hacker could also use them in credential stuffing attacks.
How to protect yourself
Protect yourself on private and public Wi-Fi
Don’t log into any accounts when on public Wi-Fi. This way, the hacker will not be able to steal your credentials and use them against you.
Don’t dismiss your device’s notifications, especially if you were kicked off the network and you’re connecting to what you think is a known Wi-Fi network. If your device recognizes it as a new network, don’t ignore it!
Avoid connecting to Wi-Fi hotspots that say ‘Unsecure,’ even if it has a familiar name.
Use 2-factor-authentication for all your sensitive accounts. This way, even if a hacker gets hold of your login credentials, they will still struggle to get into your accounts.
Learn to recognize social engineering attacks, phishing, and spoofed URLs.
Only visit HTTPs websites, especially when on open networks. HTTPs websites provide end-to-end encryption, making it difficult or impossible for hackers to see what you do when you visit them.
Don’t autosave public Wi-Fi on your device for later usage because when it’s not connected to your home or office networks, it will transmit so-called probes. They can give out a lot of information about you, including your home address. Hackers can sniff this information and pretend to be your home network.
Use a VPN whenever you connect to a public hotspot. It will encrypt your traffic before it leaves your device, making sure that no one sniffing the traffic can see your browsing behaviors.