Evil Twin Attacks – Part 2

Posted on by

This is the continuation of the Evil Twin Attacks-Part 1

If you missed the part one, I’ll suggest you go back and read it before you continue for maximum comprehension.

Let’s set the ball rolling with how the attack is carried out and remedies to this attack.

Step 1: hacker sets up a fake wireless access point

The Attacker chooses public places that has many hotspots.
Such places usually have multiple Wi-Fi access points with the same name. Hacker creates a fake hotspot with the same Wi-Fi name.
Now the bad actor can use anything from a network card, tablet, or laptop to a portable router or a Wi-Fi Pineapple (if they need more range) to create a hotspot.
Hacker uses same Service Set Identifier (SSID) name also known as simply the Wi-Fi name, as the legitimate one does.
Remember
Most devices aren’t clever enough to distinguish between a legitimate and a fake access point if they have the same SSID. Some hackers clone the MAC address of the trusted network.

Step 2: Hacker creates fake Captive Portal

Captive Portal: It is a Web page that the user of a public-access network is obliged to view and interact with before access is granted. Captive Portal allows administrators to block Internet access for users until they complete a defined process.
The captive portal feature is a software implementation that blocks clients from accessing the network until user verification has been established.
So, Captive Portal , usually either asks for some basic information about you or prompt you to enter Wi-Fi login and password.

The problem with Captive Portals is that there’s no standard on how they should look, and they are usually poorly designed.
Note :
Those who use public Wi-Fi are so used to them being this way that it’s hard to tell the difference between a legitimate page and a fake one.

Unfortunately, if you come across the latter, it will send your details straight to the hacker.

Hackers might miss this step if they are setting up an evil twin where Wi-Fi network is open and thus doesn’t have a captive portal.
If the legitimate Wi-Fi has a password, faking a captive portal helps the hacker to get login details and connect to the network.

Step 3: Hacker makes victims connect to evil twin Wi-Fi

After hacker having hotspot + captive portal : now they need to make people connect to theirs.
This can be done in two ways:
* They create a stronger Wi-Fi signal by positioning themselves closer to their victims, which will result in nearby devices automatically connecting to the evil twin.
* They kick everyone off the main network by DoS(Denial of Service), or by flooding them with de-authentication packets.
The devices connected to the legitimate network will be disconnected, which will lead users back to their Wi-Fi connection page.
Now they will see a new network with an identical name, which most likely will state ‘Unsecure’ .
This will set off alarm bells for security conscious users, but many people will simply brush it off.
This method might not work in an office environment, where it would raise suspicion.

Step 4: Hacker steals login details

If the evil twin has a fake captive portal, the user will be directed straight to the login page when they click on the new network.
They will be required to enter the same login details they used the first time they connected to a legitimate network.
This time round, however, they are sending these details to the hacker.
Now that the hacker has them, they can monitor network traffic and what you do online.
If you tend to use the same login details for all your accounts, the hacker could also use them in credential stuffing attacks.

How Do You Protect Yourself ?

Don’t log into any accounts on public Wi-Fi.
# Avoid connecting to Wi-Fi hotspots that say ‘Unsecure,’ even if it has a familiar name.
Use 2-factor-authentication for all your sensitive accounts.
# Only visit HTTPs websites, especially when on open networks.
Don’t dismiss your device’s notifications, especially if you were kicked off the network and you’re connecting to what you think is a known Wi-Fi network.
# Don’t autosave Wi-Fi on your device because when it’s not connected to your home or office networks, it will transmit so-called probes.
Use a VPN whenever you connect to a public hotspot. It will encrypt your traffic before it leaves your device, making sure that no one sniffing the traffic can see your browsing behaviors.