How to defend against evil twin attacks

Anton P. | October 27, 2020

An evil twin is a strategy of replicating an authentic Wi-Fi network but adding a sinister twist to it. Users encounter dozens of free internet access points and might overlook their deep-rooted issues. However, taking a leap of faith with an unknown network does not always lead to a satisfactory experience. The consequences could turn dire if you unknowingly connect to an evil twin. It impersonates a valid Wi-Fi hotspot and reports back to its vindictive controllers with extensive logs on users’ activities. So, you should evaluate all odds before connecting to a wireless network. We invite you to take a walk down the security lane and uncover the truth behind fake Wi-Fi spots.

What is an evil twin attack?

Evil twin attack refers to the creation of malicious Wi-Fi hotspots with the sole purpose of spying on connected clients. Hackers typically set up fake networks in crowded public locales that already offer free Wi-Fi. For instance, a popular hangout such as a coffee shop is ideal for launching evil twins. The hackers copy the most eye-catching details, such as Service Set Identifier (SSID), to resemble reliable options. So, when you sit at a table in Starbucks, you might notice several hotspots named “Starbucks.” Hence, crooks mislead clients into connecting to a fake network by mimicking the details of the original.

There have been instances when researchers test people’s vigilance and attitude towards Wi-Fi networks. In 2016, Avast conducted an experiment on Mobile World Congress participants. The white hat culprits unleashed evil twins at the Barcelona Airport with familiar names and set camp to wait for connections. The final results revealed that over a thousand of them occurred.

Why are they so dangerous?

Evil twins operate as MitM attacks, hoping to manipulate your connection and capture access to your device. The controllers supervise sessions and look for opportunities to modify packets or insert malware into victims’ gadgets. Furthermore, malicious networks are fruitful sources of credentials and other private information. Hackers can even harvest financial data if the user decides to perform financial transactions.

The sad truth is that evil twins barely have any telltale signs that could expose their precarious nature. They perform their primary task of giving access to the internet, and victims probably won’t question it. Clear indicators might come only after users notice unauthorized actions performed on their behalf. Since evil twins retrieve greedy slices of private details, identity theft, hacks, blackmail, or financial losses are possible.

Types of evil twin raids

  • Copying captive portals. Filling credentials in a captive portal page is a routine procedure when connecting to Wi-Fi. However, it does not increase the credibility of hotspots. Crooks might reproduce the page and automatically redirect first-time connecting clients to it.
  • Fishing for passwords to legitimate networks. An evil twin could mimic a Wi-Fi hotspot belonging to a legitimate corporation. Let’s presume that hackers configure an evil twin and operate from a lobby of a business center. Employees connecting to the Wi-Fi spot unwittingly click on the fake hotspot and provide the legitimate network’s credentials. This trickery might seem minor, but in reality, it supplies hackers with the correct password to connect to a corporate network. Employees might not detect any red flags. Once the evil twin denies their request to join, they could simply switch to the authentic access point.
  • The classic maneuver of imitating and spying. Crafting evil twins and quietly monitoring connections is a timeless strategy. However, do not assume that fake wireless networks require expensive or bulky equipment. Professional hackers could invest in such tools as Wi-Fi Pineapple from Hak5, high-gain antennas, and battery packs. To conceal these gadgets, crooks could place them in suitcases or simple backpacks. Some con artists could travel lighter. For instance, BetterCAP is one of the alternatives, reinforcing MitM attacks on networks.

Trickery to make customers connect to evil twins

Evil twins might offer stronger signals. Hackers position their access points in more strategic places than the original. When users check the Wi-Fi lists, they will see the fake network at the top. Hence, they are more likely to connect to that hotspot instead of those offering less robust connections.

Hackers could also break off automatic connections. Regular customers or visitors could connect to the original Wi-Fi automatically. To put these users back on the market, crooks intentionally halt connections. By overwhelming networks with deauthentication packets, crooks cease users’ connectivity. Now, people will attempt to reconnect, and a bunch of them could choose the evil twin.

Lastly, evil twins might not require passwords. Some authentic Wi-Fi hotspots need passwords to verify access. Typically, people have no issue finding the correct credentials. However, hackers could tempt users with passwordless hotspots, offering immediate access to the internet.

Overcoming evil twin attacks

  • Say “no” to public Wi-Fi. Obviating wireless networks is possible but not very realistic. Even if you give up public Wi-Fi, you are still likely to use it at work or at home. Of course, you can take additional precautions, but the threat remains to an extent. So, while the Wi-Fi diet will protect you from universal attacks at popular hangouts, it will leave you less flexible.
  • Check whether hotspots are safe. Pay attention to the “Unsecured” warnings that might appear. Terminate such connections as soon as possible to avoid unauthorized monitoring from evil twins. Also, if your connection unexpectedly terminates, be vigilant when joining another or seemingly the same network.
  • Do not perform highly-personal actions. Public Wi-Fi hotspots are inadequate for financial transactions, business operations, or exchange of classified data. While we seek mobility, it should not overshadow the need for security.
  • Use 2FA for your accounts. If hackers obtain your credentials, they will need proof beyond passwords to access accounts. Two-factor authentication should be a priority, applied to every account that offers this measure.
  • Conceal web traffic with a VPN. It is a competent tool that will encrypt traffic before it leaves your device. Hence, hackers controlling evil twins won’t eavesdrop on your activities as VPN supplies quality protection layers. In addition to keeping browsing truly private, Atlas VPN will also disguise your physical location.
Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.


mitm attackfake wi-fi

© 2024 Atlas VPN. All rights reserved.