What is Evil Twin Attack?
An evil twin attack is a type of WiFi network attack where a cybercriminal creates a rogue access point designed to mimic a legitimate wireless network. The rogue access point typically uses a name (SSID) and configuration that closely resemble the genuine network, tricking users into connecting. In many cases, the fake network is nearly indistinguishable from the real one, making it difficult for users to detect the threat.
Once a victim connects to the evil twin network, the attacker can intercept their communications in what is known as a Man-in-the-Middle (MITM) attack. This allows the hacker to capture sensitive information such as login credentials, credit card details, or other private data. In some cases, attackers may even use the connection to commit fraud or launch further cyberattacks—all without the victim or the legitimate network operator realizing what has happened.
How to Create a Hotspot for an Evil Twin Attack
This step is fairly straightforward. In fact, you have probably already done it yourselves when you used your phone as a hotspot. In an evil twin attack, however, the rogue access point needs to mimic the legitimate one. That means changing the SSID to match that of the genuine access point. Again, this is a basic step and simply requires the attacker to change the name of the fake hotspot to that of the legitimate one so that when the unsuspecting victim sees it, they do not think anything of it.
In some cases, the attacker will also spoof the genuine access point’s BSSID preventing firewalls and other security measures from detecting it as unauthorized.
Have the Victim Connect to a Rogue Access Point
An evil twin attack occurs when an attacker creates a fake wireless access point that mimics a legitimate access point. For devices that have not yet connected, the attacker can simply ensure that their signal is stronger than that of the genuine access point’s.
In a case where the device has already connected to the legitimate access point (a scenario often seen in targeting enterprise networks), the attacker can send deauthentication packets to the victim and the legitimate access point to block their connection. This prompts the user to reconnect. And, when doing so, will see the Evil Twin Attack under the disguise of the legitimate one. Thanks to SSID spoofing. This malicious access point is often configured to have the same name (SSID) as the legitimate one. Making it difficult for users to distinguish between the two.
Evil Twin Attack
Eavesdropping
An evil twin attack on a public network, such as those found in coffee shops or airports, allows attackers to act as a Man in the Middle Attack (MiTM). By intercepting the communication between the victim and the legitimate access point, the malicious actor can eavesdrop on and/or alter the traffic between the two entities. This could allow attackers to exploit vulnerabilities and access encrypted passwords, potentially compromising information-systems and leading to data breaches.
Phishing
In an evil twin attack on an enterprise network, the attacker aims to bypass authentication by using phishing tactics. As mentioned, the perpetrator will likely have to block the already-established connection between the victim and the legitimate access point, prompting the victim to try and reconnect. This time to the Rogue access point (which, to the victim, appears legitimate due to the Evil Twin Attack). In doing so, the user will be directed to a fake Captive Portal page that requires login details. The same as those required for the legitimate access point.
However, when the victim enters those details, they are being sent directly to the hacker. Although the hacker will not know the correct network password, they will know when the correct password has been entered. This relies on the network handshake captured during the deauthentication process in the Evil Twin Attack. Once the victim enters the correct information, the hacker can use these credentials to access and control the target network, stealing valuable sensitive data.
Evil Twin Attacks in the Era of Remote Work
Since an evil twin attack can be carried out in public places, the attack surface increases significantly as remote work security (WFH) and bring your own device (BYOD) trends become more widely adopted among enterprises. However, the most dangerous characteristic of these attacks, which impacts both public and enterprise networks, is their covert nature. Besides appearing legitimate to the user due to a spoofed SSID, the rogue access point is able to bypass network security solutions. This includes NAC, by spoofing the legitimate access point’s BSSID.
Essentially, the victim and the device can see no evil. And it is especially worrying when an enterprise network is targeted… Once the network login details are obtained, the attacker can gain access to the network. From here, the bad actor can monitor network traffic, steal data, inject malware, and more. These cyber-attacks can compromise information-security and cause harmful consequences to the enterprise, including data breaches, denial-of-service attacks, and the potential for a ransomware outbreak.
Strengthen Your Defense Against Evil Twin Attack
Sepio’s Asset Risk Management (ARM) provides a panacea to gaps in device visibility. Ensuring you are getting the most out of your cybersecurity investments.
Sepio’s solution identifies all devices operating within the enterprise environment. It also reveals the BSSID of all Access Points, showing which networks those devices are connected to. With its policy enforcement mechanism, Sepio detects suspicious connections instantly. It triggers a mitigation process by integrating with existing Network Access Control products.
See Every Known and Shadow Asset
Speak with an expert today to discover how Sepio’s patented technology can help you take control of your asset risks. It will also protect your organization against Evil Twin Attacks and other hardware-based cyber threats.
