Evil Twin Attack 101

This form of attack happens when you're out and about, and when you need to connect to a public Wi-Fi network...

evil twin

While we at VPN reports love public Wi-Fi networks, we also realize using them represents a security risk. Except, that is, if you’re using a VPN, which will encrypt all traffic flowing between your device and the rest of the Internet.

But let’s not get ahead of ourselves. In this article, we’ll try to explain the evil twin attack, which is very related to public Wi-Fi. Read on for more…

What is an evil twin attack?

Imagine trying to connect to a public Wi-Fi network which you’ve used in the past. But when you click/tap to scan available Wi-Fi access points, you see that something’s strange. Or you may not see it right away, but you may have connected to the wrong network. That wrong network has a similar name to the popular Wi-Fi but in reality, it is a very different network. And that’s what the evil twin attack is all about. It is a type of spoofing attack in which a hacker sets up a rogue Wi-Fi access point, whose name (SSID) resembles a legitimate Wi-Fi access point. Thus the name – evil twin attack.

An evil twin attack shares characteristics of a phishing scam and a “man in the middle” attack. It wants you to connect to a different (wrong) Wi-Fi from where the hacker would be able to access all the data you’re transferring on that network.

As a result of this access, the hacker may get ahold of your personal information — including the passwords you’re using to connect to different services on the Internet. What’s more, this could further lead to spoofing your friends and family.

So NO, you don’t want to become a victim of the evil twin attack.

How do evil twin attacks take place?

Generally speaking, an evil twin attack involves a multi-step process that includes:

1. Creating a fake Wi-Fi hotspot
A hacker sets up a fake Wi-Fi hotspot with a name that resembles — or is identical — to the regular Wi-Fi hotspot. This could be the name of a big telecom operator, the name of the venue you’re in, the city name and so on. Hackers typically bring their own router near a popular public Wi-Fi network or use a laptop with a network card to do this.

2. Creating a fake Captive Portal
Captive Portals are usually used at coffee shops, airports, and public transit — inviting users to sign-up to use the Internet for free. From this screen, the victim may be asked to login with their Google or Facebook credentials, after which the hacker will get that access — allowing him/her to cause havoc. What’s more, they may also be able to access all other data that the victim leaves on the site.

3. Users are kicked off legitimate network
In order to get more users “on board” — as well as to increase chances of success — hackers could make the legitimate Wi-Fi network unusable and kick active users off. This is accomplished with so-called network flooding, which (as its name says) floods the network with “de-authentication packets” and disconnects active users.

4. Redirecting users to fake access point
Once disconnected, users will attempt to reconnect. And it is at this stage when the rogue network seems like a viable option — after all, users have been previously kicked out of the regular network. This rogue network has a similar or even the same name, making it less suspicious.

5. Stealing login credentials
This part gets us back to the Captive Portal part; users are prompted to login and their every step on the Internet is being watched by a hacker. He/she is patiently waiting as the software records everything, including credentials for Google and other popular services.

How to protect yourself from an evil twin attack?

There are several things everyone of us should do in order to stay safe from evil twin attacks:

Do NOT connect to an unsecured network
If it’s unsecure it means you shouldn’t use it. It’s that simple. Even if you have to do something really important, remember that if someone steals your identity, you will have a real problem in hand.

Do NOT ignore network alerts and warnings
Your device has been programmed to protect you from unsecure connection and, chances are, it will inform you about the (lack of) security of the network. Make sure NOT to ignore these warnings.

Do NOT automatically connect to networks
This is what hackers behind evil twin attacks are counting on – that is the main reason why they call their fake hotspots the same as regular hotspots. When auto-connect is turned off, you are making it less likely to be a victim of a fake twin attack.

Use two-factor authentication
Whenever possible use two-factor authentication (2FA) as it will make it impossible for hackers to log into your accounts even if they somehow manage to get your passwords. And while we’re at passwords, make sure to use those that are impossible to remember.

Use a VPN
As we have briefly noted above, a VPN will encrypt all data traveling between your device and the rest of the Internet. This way, you don’t have to worry about your data being intercepted (and stolen) and then used against you. In that sense, we advise everyone to always use a VPN when connecting to public Wi-Fi networks.

If you still don’t have a VPN, now’s your chance to change that. Hop over to our page with Best of the Best VPNs and take it from there. All of those services have been field-tested for years and will have your back on public Wi-Fi networks and elsewhere. Check ’em out.