An evil twin attack can affect anyone who uses public Wi-Fi while they’re on the go, whether it’s to check messages, browse online, post on social, or perform urgent online banking. Professionals, especially those who travel for work, doing business in coffee shops, airports and hotels, are most at risk.
However, public Wi-Fi carries additional risk as legitimate networks are often unsecured for the sake of easy access. Moreover, hackers exploit this convenience by establishing a malicious evil twin Wi-Fi network to look like a trusted public Wi-Fi network (such as a coffee shop or hotel).
What Is An Evil Twin?
An evil twin attack is a cyberattack that fools users into connecting to a fake public Wi-Fi network set up by the attacker that imitates a legitimate-looking Wi-Fi network for coffee shops, hotels, airports and other busy locations.
This imposters access point mimics the legitimate network, often using the same name or a similar one. Once the user connects to an evil twin Wi-Fi network, they can work as usual. However, the hacker can access data containing everything from network traffic to login credentials.
The evil twin is so named because they imitate legitimate Wi-Fi networks, so much so that they are often indistinguishable from the original. This type of attack is hazardous because it is almost impossible to identify.
How Does An Evil Twin Attack Work?
The most successful evil twin attacks trick victims into believing they are connecting to a legitimate public Wi-Fi network. It takes a bit of work to make the attack believable. To accomplish this, hackers take the following typical steps:
Step 1: Choosing a Location with Free Wi-Fi
Hackers select a high-traffic location with free Wi-Fi (at a coffee shop, hotel, or airport) to stage their attack. Places like these have multiple access points with the same name, which makes it easy to create a fake network that avoids detection.
Step 2: Set Up A Fake Wi-Fi Network
Once the fake Wi-Fi network equipment is in place, the hacker creates a hotspot with the same (or very similar) Service Set Identifier (SSID) name as the real network.
Cybercriminals gangs can use one of several devices to accomplish this, usually a standard AP, but can also use a laptop, tablet, or portable router.
Step 3: Creating a Phoney Captive Portal Page
Public Wi-Fi networks often have what’s called a captive portal page. When users access a free network, they land on this page, where they enter a password or basic information to access the network.
While captive portal pages are legitimate, hackers often replicate them on their evil twin to trick users into providing login information. It’s difficult to distinguish between a legitimate and a fake captive portal page as they will often have the correct company logo.
Once a hacker has set up the evil twin access point and fake captive portal page, they often move their device closer to potential victims, creating a stronger signal. User devices typically choose the network with the strongest signal, and some devices will connect automatically.
Step 4: Monitoring and Stealing User Data
Once the victim unknowingly connects to an evil twin Wi-Fi network, the hacker can monitor their online activity, from browsing social media to checking their bank accounts.
A hacker can collect login credentials to any account the user accesses while on the hacker’s access point. If the user uses the same credentials for multiple accounts, this is an even bigger score for the hacker.
8 Ways To Avoid An Evil Twin
Evil twin Wi-Fi networks are challenging to identify by design because the average user may not even know such a risk exists. However, several best practices can help you avoid suspicious connections.
The following are eight ways to avoid becoming the victim of an evil twin attack.
1. Always Check the Public Wi-Fi Name
Pay attention to the Wi-Fi name whenever you access a free Wi-Fi network. Amateur hackers may use easy-to-spot misspellings if using a similar Wi-Fi name. Look for any obvious mistakes in the name. Sometimes, the errors are more subtle.
For example, the evil twin Wi-Fi name in your favourite coffee shop or cafe may have the exact correct spelling. If the hacker is seated nearby, the signal of their fake network will be the strongest.
2. Use a Private Virtual Private Network (VPN)
A VPN protects you from evil twin attacks because it encrypts your data while you access the internet, no matter what network you use (even an evil twin).
A reliable VPN scrambles your online activity before sending it over the Wi-Fi to a trusted VPN endpoint, which means a hacker cannot read or understand any of it. Using a VPN is good practice anytime you access a public network, even legitimate ones.
3. Do Not Ignore Security Warnings
When you connect to a free public Wi-Fi network, your device may alert you if its security application detects something suspicious. If this happens, take notice.
Not every user pays attention to these notifications, which often results in negative consequences. Instead of dismissing these warnings, respond accordingly and avoid connecting.
Also, remember that even when there are no warnings, even legitimate public access points are not secure. If you don’t use a VPN service (as described earlier), avoid accessing your sensitive accounts, especially online banking.
4. Disable Auto-Connect
Auto-connect is a convenient feature, especially when you access the same networks regularly. When you have auto-connect enabled, your device automatically connects to any network you have used before once you are within range. This can be dangerous, especially if you unknowingly connected to a public Wi-Fi network in the past.
Disable the auto-connect feature whenever you are away from your home or office. This way, your device will prompt you for permission before connecting. You will have the opportunity to inspect the network name and approve or disapprove before connecting.
5. Avoid Online Banking When on Public Wi-Fi
Whenever possible, avoid accessing banking services while on public Wi-Fi. If you’ve inadvertently accessed an evil twin network, a hacker can access your login credentials using a man-in-the-middle attack to decrypt SSL/HTTPS traffic.
As already discussed, using a VPN service is far more secure when using public Wi-Fi. Also, ensure your financial accounts have unique passwords and 2FA authentication enabled.
Many people are comfortable scrolling through social media while on a public Wi-Fi network. However, if the user’s Facebook login credentials are the same as those for their online banking account, a hacker may be able to access your online banking.
6. Use Your Own Hotspot
Using your personal hotspot over 4G/5G from your mobile phone instead of public Wi-Fi protects you from evil twin attacks because you have your own reliable mobile network whenever you’re away from home or the office. You can then join that hotspot from your tablet or laptop.
Although most mobile providers offer ‘localised hotspots’ as part of their mobile plans, these public hotspots can also be copied using the evil twin technique.
7. Understand HTTPS Sites May Not Be Safe
When using the public internet, it’s a best practice only to browse to sites protected by HTTPS as they are encrypted to block any eavesdroppers from inspecting/retrieving user data. If your browser alerts you that the site you’re visiting doesn’t have an HTTPS connection, move away from it as soon as possible.
However, with an evil twin, even an HTTPS site may not be safe. Eavesdropping is a type of attack called man-in-the-middle that involves an attacker or device that intercepts or changes communications between two unaware parties.
During a man-in-the-middle attack, the attacker will first redirect your online banking request to a malicious HTTPS server. This server will decrypt the initial request, then re-encrypt the request and send that (now compromised) request to the unsuspecting official banking server.
At this point, all data in the ‘secure’ HTTPS data flow between the end user and the online banking server is compromised.
8. Use Two-Factor Authentication
Multifactor authentication (aka 2FA or MFA) is a form of protection that requires two or more steps to log into a system. The user typically has a password and then uses a code sent to their mobile device to log in to their account.
While this isn’t a security measure that protects against password theft, it protects the user’s account from unauthorised access, as the hacker will also need access to the mobile device. If your essential accounts offer two-factor or multifactor authentication, take advantage of it.
Conclusion
The evil twin is dangerous for individuals as well as organisations. While it’s damaging enough for a personal account to be compromised, a data breach of a corporate account can have devastating consequences that affect thousands of people.
Every user should be conscientious when accessing public Wi-Fi in coffee shops or hotel lounges, especially if they do so without the extra protection of a VPN, personal hotspot, or multifactor authentication.
Employees should be trained to access the internet safely while working away from the office, and this is a critical component of internet security training. Employees should understand the risks so they can avoid problems whenever possible.
From anti-malware, anti-phishing, SEO poisoning, and 2FA to SASE and cloud-based air-gap immutable backup storage, Securus has a security solution to suit your requirement and budget.
If you would like to discuss your network security requirements in more detail with one of our cybersecurity professionals, please don’t hesitate to get in touch.
Further Technology Articles
How Machine Learning can Enhance your Cybersecurity
Five Ways to Bring your Security Posture up to Speed
What you can do to lock down your weak links
