Now that more and more companies are offering their employees the ability to work remotely, organizations may find themselves unwittingly exposed to attacks Evil Twin.
In this article, we'll break down the Evil twin attack and explain how to spot it and how to prevent it from causing you trouble.
What is the Evil Twin Attack?
Evil twin attacks are a type of Man in the Middle (MitM) attack in which a fake Wi-Fi network is created to steal information or further infiltrate a connected device.
This is often done in public locations where people are more likely to search for or connect to freely available Wi-Fi. This can happen in airports, coffee shops, large public parks, etc., but hackers can exploit this attack anywhere, mainly because fake Wi-Fi can be easily created and deployed.
How an Evil Twin attack affects you
If successful, a hacker has effectively hijacked your internet connection, connecting you to their network. This can mean that the hacker can steal your login information, see sensitive details and information from the websites you visit, and even redirect some of your commands and tasks.
For example, let's say you connect to a fake Wi-Fi, log into your bank account and initiate a money transfer. In this case, a hacker can see this, change the details of the transaction as it passes through their network, and return a legitimate receipt.
Because you don't know you've been exposed, you wouldn't necessarily look at the receipt, and the hacker can walk away with your money.
How does the Evil Twin attack work?
Unfortunately, an Evil twin attack is relatively easy to create and difficult to detect due to the nature of how devices connect to Wi-Fi. Here's how hackers do it.
Step One: Set Up Wi-Fi for Evil Twin Attack
First, a hacker finds you in a prime location where people want to connect to free Wi-Fi networks.
Using a device like a hotspot or a Wi-Fi Pineapple, it can create its own Wi-Fi network. Using a tool like hostapd-wpe and this way they can impersonate any network and if given enough time even get the network credentials.
To impersonate an existing connection, they will likely use the same SSID (network name) as the one that already exists. Depending on how sophisticated and experienced they are, they can even copy the MAC address.
Currently, devices often present only the SSID when you want to connect, so it would be difficult to distinguish the real device from the imposter without looking for specific details that might indicate an attack.
Step Two: Captive Portal Setup
The Captive Portal is usually the separate web page or initial pop-up window after connecting to a Wi-Fi network. Most of the time, it asks you for some information before allowing you to access the internet.
Hackers can create their own captive portals to begin stealing sensitive information so they can connect to the original Wi-Fi network and further present that the Wi-Fi connection is secure.
A tool like dnsmasq can be used to create captive portals and spoof DNS servers to make it look more believable.
Step Three: Push the victim to connect to the Evil Twin network's Wi-Fi connection
At this point, unsuspecting victims looking for a free Wi-Fi connection will probably see two different connections with the same name. Even though they're not likely to give it much thought (especially as most connections come on a 2G/5G tether), a hacker still has about a 50-50 chance of successfully putting a person at risk.
To increase their chances of success, they can physically move the Wi-Fi hotspot or transmitter closer to victims so that the connection appears first and is stronger than the actual connection.
They can also flood the initial connection with a DoS. This can disable anyone connected to the real Wi-Fi while preventing others from connecting.
At this point, victims are much more likely to connect to the hacker's malicious Wi-Fi network.
Step four: Risks of connecting to the malicious network
Once the victim connects to the network, they are shown the fake, which can be the beginning of data theft. Because the hacker can now monitor your connection, they can record everything you type and see your activity as you browse the web.
This can allow them to steal credentials, view sensitive information, and potentially further compromise your device. Depending on the hacker's level of sophistication, they can introduce malware and ransomware that can give them remote access and control over your device even after you log out.
MitM packages can be leveraged at this point. Hackers can deploy packet injections that can replace the content of the website the victim is navigating to (for example, to direct them to a malicious website), or payloads (in the form of malicious code, ransomware or malware) can grow inside uploaded files without the victim's knowledge.
For organizations, this can be extremely concerning if the victim is using a corporate device, or more commonly, the device is connected to any app, software, or has access to any website that could then allow the hacker to infiltrate the organization.
How to spot an Evil Twin connection
By design, Evil Twin networks are quite difficult to detect without special detection tools. However, there are some best practices that can help you stay away from any suspicious links.
- Δώστε προσοχή στα ονόματα Wi-Fi: Γι’ αυτό αναζητήστε τυχόν προφανή λάθη ως σημάδι επίθεσης.
- See any alerts: If your device warns you that a Wi-Fi connection is insecure, it's best not to connect to it, even if it looks secure.
How to prevent an Evil Twin attack
Prevention is much more effective against this type of attack than simple detection. Here are some steps that can help you:
- Use a VPN: VPNs were created to prevent hackers (and anyone else) from tracking your online activity. It's a good tool you can use to stay safe even if you connect to an Evil Twin Wi-Fi.
- Only browse HTTPS websites: as HTTPS connections are encrypted to prevent hackers from seeing your activity. If your browser notices that a website you've visited does not have an HTTPS connection, move away from it as soon as possible.
An easy way to ensure you're browsing HTTPS sites is to install the HTTPS Everywhere browser extension you'll find here. Almost all browsers support it and it is a very effective way to ensure that you are browsing safely.
- Turn off automatic login: This means it cannot distinguish between safe Wi-Fi networks and Evil Twin networks.
- Stay away from public Wi-Fi: If possible, use a personal hotspot or one that you're sure hasn't been hacked.
- Limit your online activities: If you can't be sure you're not connected to a compromised Wi-Fi, avoid visiting websites or taking actions that, if detected, could further expose you to risk. Do not log into accounts or visit websites that contain sensitive information.
Organizations may also use or encourage the use of wireless intrusion prevention systems (WIPS), which are designed to prevent hackers from monitoring activity over wireless connections.
Information and prevention tools to avoid Evil Twin attacks on companies and organizations
“Evil Twin” attacks can be dangerous, especially for organizations, through unsuspecting employees. Make sure your employees are aware of the risks so they can avoid mistakes whenever possible.
Organizations that use network monitoring and detection tools and leverage network segmentation can either detect an attacker who has entered through an evil twin attack or prevent them from accessing critical assets altogether.