Evil Twin is a kind of Wi-Fi attack which is almost similar to Website spoofing and E-mail phishing attacks. Cyber Attackers can get all information without a user knowledge. Evil Twin looks like a Hotspot but with a strong signal. The attacker snoops on Internet traffic using a Fake wireless access point. Unaware web users may be invited to log into the attacker’s server, prompting them to enter sensitive information such as usernames and passwords. Often, users are unaware they have been duped until the incident has occurred.
A hacker configures its service identifier (SSID) to be same as an access point at the local hotspot or corporate wireless network. The hacker disrupts or disables the legitimate AP by disconnecting it, directing a denial of service against it, or creating RF interference around it. Users lose their connections to the legitimate AP and re-connect to the “evil twin,” allowing the hacker to intercept all the traffic to that device.
When users log into unsecured (non-HTTPS) bank or e-mail accounts, the attacker intercepts the transaction. In this case, the attacker would also be able to connect to other networks.
Fake access points are set up by configuring a wireless card to act as an access point (known as HostAP). They are hard to trace since they can be shut off instantly. The counterfeit access point may be given the same SSID and BSSID as a nearby Wi-Fi network. The evil twin can be configured to pass Internet traffic through the legitimate access point while monitoring the victim’s connection, or it can simply say the system is temporarily unavailable after obtaining a username and password.
How To Protect?
Use EvilAP_Defender It is an application that helps a wireless network administrator to discover and prevent Evil Access Points (AP) from attacking wireless users.
The application can be run in regular intervals to protect your wireless network from Evil Twin like attacks. By configuring the tool, you can get notifications sent to your email whenever an evil access point is discovered.
The tool is able to discover Evil APs using one of the following characteristics:
- Evil AP with a different BSSID address.
- Evil AP with the same BSSID as the legitimate AP but a different attribute (including: channel, cipher, privacy protocol, and authentication).
- Evil AP with the same BSSID and attributes as the legitimate AP but different tagged parameter – mainly different OUI (tagged parameters are additional values sent along with the beacon frame. Currently no software based AP gives the ability to change these values. Generally, software based APs are so poor in this area).
Whenever an Evil AP is discovered the tool will alert the admin through email (SMS will be supported soon). Additionally, the tool will enter into the preventive mode in which the tool will DoS, the users of the legitimate wireless network from connecting to the discovered Evil AP. The tool can be configured easily by starting in what we call “Learning Mode”. In this mode, you can whitelist your legitimate network.
- Do not use Public Wi-Fi
- Always connect to the Internet through a Private VPN.