What Is Evil Twin Phishing?
Evil twin phishing is a type of sophisticated phishing attack where scammers create fake wireless access points that masquerade as trusted access points and trick users into connecting to them.
Through evil twin phishing, scammers are able to seamlessly intercept and even alter the network traffic of any connected device. To capture sensitive information, scammers will commonly break HTTPS connections, allowing them to view plaintext information.
What Makes Evil Twin Phishing So Dangerous?
Due to inherent weaknesses in the way client devices discover and connect to wireless access points, evil twin phishing attacks can be executed seamlessly without the victim even knowing their data is being maliciously intercepted.
Exploits WiFi Weaknesses
There are several inherent weaknesses in the way client devices connect to WiFi networks. These weaknesses allow scammers to force devices to disconnect from trusted WiFi networks, auto-connect scammer-controlled WiFi networks to devices, and even break the encryption that client devices and trusted WiFi networks use to communicate.
Seamlessly Intercepts Data
With evil twin phishing, scammers can seamlessly intercept network communications without victims even being aware. Once network communication is intercepted, scammers can break HTTPS connections, redirect traffic, and poison DNS caches, among a variety of other network-specific attacks at their disposal.
An Example Evil Twin Phishing Attack
To help showcase just how effective evil twin phishing attacks can be, let's walk through an example:
-
Scammer Does Reconnaissance At Target Location
The scammer travels to a target organization's office and sits in a nearby cafe, ordering food and coffee while seemingly working on their laptop. While waiting for their food, they begin passively scanning local WiFi networks on their laptop.
-
Scammer Sets Up Several Rogue WiFi Networks
Within seconds, the scammer locates the WiFi network SSID used by the target organization. They then pull out a WiFi Pineapple hacking device and use it to automate the deployment of a rogue access point that spoofs the SSID of the target organization's WiFi network.
-
Scammer Disrupts Legitimate WiFi Network Traffic
With the rogue access point setup, the scammer again uses their WiFi Pineapple device to execute several technical measures that amplify the signal of the rogue WiFi network, disrupt the signal of the organization's legitimate WiFi network, and also begin sending spoofed network de-authentication packets, to force user disconnections from the legitimate WiFi network.
-
Victims Connect To Rogue WiFi Network
With users disconnecting from the legitimate WiFi network, users begin connecting to the rogue access point, either automatically for those who have WiFi auto-connect configured or manually for those who have seemingly lost internet connectivity and attempt to reconnect themselves. From this point onwards, the scammer can now intercept and capture all internet traffic of connected victim devices.
Common Evil Twin Phishing Techniques
By their very nature, evil twin phishing attacks are highly technical and are typically automated through a mixture of hardware and software. Devices such as WiFi Pineapples or tools such as Aircrack-ng, Hostapd, Wifiphisher, and Bettercap automate the techniques outlined below:
SSID Broadcast Monitoring
Scammers will use high-powered WiFi adapters specifically designed to enhance their ability to monitor SSID broadcasts. These devices enable scammers to detect WiFi networks from long distances.
SSID Spoofing
Scammers will use SSID spoofing to create a rogue WiFi network that has the same SSID as a legitimate WiFi network. Spoofed SSIDs make it difficult for both humans and client devices to spot the real from fake.
WiFi Signal Amplification
Scammers will use high-powered WiFi antennas to significantly amplify the transmission of their rogue WiFi network, such that client devices prioritize the rogue WiFi network over that of a legitimate WiFi network.
Forced WiFi Deauthentication
Scammers will broadcast de-authentication packets to client devices designed to appear as if they're from a legitimate WiFi network. This causes client devices to disconnect from the legitimate WiFi network.
WiFi Encryption Cracking
Scammers will crack the encryption used in any outdated or poorly configured WiFi protocols such as WEP or even WPA. Once cracked, scammers can decrypt all communication to and from the WiFi network.
TLS Striping
Scammers will downgrade encrypted communication to its unencrypted counterpart (e.g. HTTPS to HTTP) wherever possible. By removing encryption, it gives scammers direct access to plaintext information.
Practical Tips To Avoid Evil Twin Phishing Attacks
Evil twin phishing might seem like it's difficult to avoid, but there are some best practices you can follow that help to minimize your exposure:
- Avoid using public WiFi networks: Only connect to WiFi networks you know and trust. Public WiFi networks may have weak configurations, or they could be controlled by someone with malicious intent.
- Disable automatic connection to WiFi networks: Scammers abuse automatic connection configurations through a mixture of SSID spoofing and forced WiFi deauthentication. Keeping this setting disabled helps to keep you aware of any anomalies.
- Enable mutual authentication whenever possible: Mutual authentication adds an additional layer of security, whereby the client and access point mutually share certificates with each other. Each certificate is then checked to ensure it's trusted, valid, and matches the expected identity.
- Always confirm HTTPS connections are valid: By monitoring whether an HTTPS connection has been downgraded, you can be made aware of potential evil twin phishing attacks.
Frequently Asked Questions
Where Does The Term Evil Twin Phishing Originate From?
The term "evil twin phishing" originated in the early 2000s, when public WiFi networks became increasingly popular. Scammers realized they could abuse weaknesses in the way client devices and WiFi networks communicated, such that a fake WiFi network could impersonate a legitimate one and trick client devices. Due to the nature of this attack, essentially creating a "twin" WiFi network, and the idea of there being an "evil twin" in pop culture, it was fitting that this attack was coined "evil twin phishing".