Evil twins aren’t just the stuff of horror movies. In the online world, they can steal your sensitive details while you browse on public Wi-Fi. Find out what an evil twin attack is, how it’s performed, and how to protect yourself from it.
Mar 03, 2020 · 5 min read
An evil twin attack is a hack attack in which a hacker sets up a fake Wi-Fi network that looks like a legitimate access point to steal victims’ sensitive details. Most often, the victims of such attacks are ordinary people like you and me.
The attack can be performed as a man-in-the-middle (MITM) attack. The fake Wi-Fi access point is used to eavesdrop on users and steal their login credentials or other sensitive information. Because the hacker owns the equipment being used, the victim will have no idea that the hacker might be intercepting things like bank transactions.
An evil twin access point can also be used in a phishing scam. In this type of attack, victims will connect to the evil twin and will be lured to a phishing site. It will prompt them to enter their sensitive data, such as their login details. These, of course, will be sent straight to the hacker. Once the hacker gets them, they might simply disconnect the victim and show that the server is temporarily unavailable.
The most common evil twin attack scenario you may come across in the wild is one with Captive Portals. Many public Wi-Fi networks use web pages that require your login details to connect you to the internet. The goal of this attack is to fool the victim into giving their authentication details for a legitimate Wi-Fi network. Once the hacker has these details, they can log into the network, take control of it, monitor unencrypted traffic, and perform other MITM attacks. Let’s delve deeper into what happens at every step of this attack.
A hacker chooses a public place that has many hotspots, such as your local Starbucks or an airport. Such places usually have multiple Wi-Fi access points with the same name. It’s good if you are walking around the building and don’t want to lose your connection, but it also makes the hacker's job much easier when it comes to creating a fake hotspot with the same Wi-Fi name.
Now the bad actor can use anything from a network card, tablet, or laptop to a portable router or a Wi-Fi Pineapple (if they need more range) to create a hotspot. It’s pretty easy! Just think about the last time you used your phone as a hotspot to share a connection with your other devices or your friends. That’s exactly what a hacker does; however, they use the same Service Set Identifier (SSID) name, also known as simply the Wi-Fi name, as the legitimate one does.
Why does this matter? Because most devices aren’t clever enough to distinguish between a legitimate and a fake access point if they have the same SSID. (Some hackers can go as far as cloning the MAC address of the trusted network.) That’s why it’s called an evil twin!
If you’ve ever used public Wi-Fi, you have probably seen a Captive Portal page. They usually either ask for some basic information about you or prompt you to enter Wi-Fi login and password. The problem with Captive Portals is that there’s no standard on how they should look, and they are usually poorly designed.
Those who use public Wi-Fi are so used to them being this way that it’s hard to tell the difference between a legitimate page and a fake one. Unfortunately, if you come across the latter, it will send your details straight to the hacker.
Hackers might miss this step if they are setting up an evil twin where Wi-Fi network is open and thus doesn’t have a captive portal. If the legitimate Wi-Fi has a password, faking a captive portal helps the hacker to get login details and connect to the network.
Now that the hacker has a hotspot and a captive portal, they need to make people ditch the legitimate connection and connect to theirs. This can be done in two ways:
Now they will see a new network with an identical name, which most likely will state ‘Unsecure’. This will set off alarm bells for security-aware users, but many people will simply brush it off. This method might not work in an office environment, where it would raise suspicion.
If the evil twin has a fake captive portal, the user will be directed straight to the login page when they click on the new network. They will be required to enter the same login details they used the first time they connected to a legitimate network.
This time round, however, they are sending these details to the hacker. Now that the hacker has them, they can monitor network traffic and what you do online. If you tend to use the same login details for all your accounts, the hacker could also use them in credential stuffing attacks.