Evil doppelgangers are attacking! What is an Evil Twin attack and how to defend against it?

Imagine: you are in the subway and you need to send a message urgently. But for some reason your mobile internet refuses to work. What do users usually do in this case? That’s right – they connect to a public Wi-Fi network and send a message. But they do not even suspect that a seemingly reliable network may turn out to be an “evil double” that will allow attackers to gain access to their information: from network traffic to personal registration data.

Therefore, so that you do not become a victim of the Evil Twin attack (“evil twin”), we want to analyze in detail what it is and give some tips on protection.

Why is the attack called the “evil twin”?

The attacks of the evil twin got their name because of hackers who have learned to imitate legitimate Wi-Fi networks to such an extent that copies become indistinguishable from the originals. Therefore, this type of attack is especially dangerous – victims do not even suspect that they are in the hacker’s network while he collects personal data of users in order to use them for his own purposes.

And how does this attack work?

Everything is based on public Wi-Fi networks. The most dangerous “evil doppelganger” attacks make victims think that they are connecting to reliable public networks. Usually the attack proceeds according to the following scenario:

Choosing a place with free Wi-Fi. To carry out such a cyberattack, hackers usually choose popular public places: parks, hotels, cafes, airports. Since there are many other access points with the same names in such places, it is even easier for cybercriminals to hide their activities by “merging with the crowd.”

Setting up an access point. After choosing a location, hackers create a new access point using the same network identifier name (SSID) as the original network. To do this, they can use almost any device, including phones, laptops, portable routers and tablets.

Creating a fake connection page. Attackers create a special page for connection (captive portal), with which they deceive users and force them to enter their registration data.

Rapprochement with potential victims. As soon as hackers finish setting up their fake access point and the connection page, they move their device or router closer to potential victims, trying to interrupt the signal of the legitimate network so that the victims choose their access point.

The beginning of surveillance and data theft. After connecting to the “evil double”, the hacker gets the opportunity to track everything that the user does on the Internet: from viewing registration data to connect to their social network accounts to checking bank accounts. If a user logs into any of their accounts when connecting to such a fake network, then a hacker can get these login credentials.