Evil Twin Attack

An Evil Twin attack is a class of cyberattacks that internet users are vulnerable to when they connect to public wifi. Hackers set up malicious hotspots in locations where consumers expect to find public wifi. As a result, anybody who uses public wifi is at risk of running into an Evil Twin attack.

Cybercriminals use Evil Twin attacks to piggyback on victims’ internet sessions. If you connect to an Evil Twin wifi hotspot, then hackers can monitor your web visits and potentially steal your personal information for phishing, fraud, and identity theft.

An Evil Twin attack could even infect your device with malware, giving hackers remote access to your device to deliver secondary payloads such as spyware, keyloggers, or a Trojan capable of complete device takeover.

This makes it hugely important to know what an Evil Twin attack is and what you can do to protect yourself against them. In this guide, we will arm you with the knowledge you need to protect yourself.

Why is it called an Evil Twin attack?

An Evil Twin attack, or Evil Twin hotspot, gets its name from the method used by hackers to lure their victims.

Hackers usually set up Evil Twin hotspots in public locations where you would expect to find free wifi. This means you could run into an Evil Twin attack in a coffee shop, a mall, a restaurant, on public transport, in an airport, at a public library – or just about anywhere else.

An Evil Twin attack relies on the fact that people expect to find free wifi in the public location where it’s deployed. To successfully attract victims, hackers give the malicious hotspots a non-conspicuous name (SSID) like “Starbucks free internet” or “free hotel wifi.” Victims assume the hotspot is legitimate and provided by a local establishment.

Once connected to the malicious wifi hotspot, a cybercriminal can intercept all the data that passes over the network from a victim’s devices. It also allows the hacker to attack the victim’s device, potentially accessing its contents to engage in data theft – or to infect them with malware. Victims might still be able to access the internet normally through the compromised hotspot, and so might never become aware that they’re under attack.

In some locations, the Evil Twin may be an exact copy of the genuine hotspot’s name. This catches out anybody who connects in a rush.

Examples of an Evil Twin attack

An evil twin attack can result in a number of other cybersecurity attacks. Below, we have included information about the kinds of attacks hackers can perform if you accidentally connect to an Evil Twin hotspot:

Man in the Middle

If you connect to an Evil Twin wifi hotspot, a hacker can intercept your data as it passes over their fake wifi hotspot network. This class of cyberattacks is called a Man in the Middle (MitM) attack. During a MitM attack, the hacker who piggybacks on your session gains the ability to do various nefarious things:

  • Session hijacking (the hacker intercepts an authentication key, giving them the ability to access your email or some other personal account).
  • Engage in a replay attack (the hacker records your activity and re-performs an action you just made, such as logging into an account.
  • The hacker alters your content so that the recipient receives something different from what you intended to send (altered messages, etc).
  • The hacker deletes your content so that it never arrives at the intended recipient.

DNS hijacking

Another possibility when you connect to an Evil Twin hotspot is that the hacker will perform a DNS attack. For example, hackers can leverage this kind of attack to divert users to a different web page than the one they intended to visit (this is called DNS hijacking).

The problem with this kind of DNS hijacking is that the victim is unlikely to realize the hacker has diverted them to a malicious website. The site could be infected with malware, or a fake login portal that is designed to “phish” their data.

This means that the hacker could successfully infect the user with drive-by malware that provides a footing on the penetrated device, allowing them to download secondary packages from a Command and Control (CnC) server.

Under the worst circumstances, this could cause the victim to be infected with a severe Remote Access Trojan that allows the hacker to take full control of the victimized device to steal data valuable for fraud and identity theft.

How to avoid an Evil Twin attack

The easiest way to avoid being victimized by an Evil Twin attack is to avoid public wifi hotspots completely. In practice, however, most people rely on free internet to save on their mobile data plans. As a result, complete abstinence from public wifi will not be practical. The good news is that there are various things you can do to protect yourself.

Here’s how to avoid an Evil Twin attack:

1. Turn off auto-connect

Going into your device’s settings and turning off auto-connect is an easy way to prevent yourself from automatically connecting to all the wifi hotspots you go near.

The problem with Evil Twin hotspots is that they often have no password protection. This means that all you need to do is click on the wifi hotspot, connect, and start using the free internet provided by the hacker.

Of course, if your mobile device is set to auto-connect to any available wifi, you may accidentally connect to an Evil Twin hotspot without even realizing it.

This will cause the apps you use to begin communicating with the internet via the server controlled by the hacker – even if your device is still in your pocket. As a result, the hacker could intercept some of your data.

By turning off auto-connect, you will have full control over the wifi hotspots you choose to use. And you will be able to discriminate between wifi options and pick the ones that you want to connect to.

2. Avoid connecting to unprotected wifi networks

When you move around your local city, go on vacation, or need to travel for work, you will get the opportunity to connect to many public wifi hotspots. Some of these will be legitimate hotspots that have been secured by the establishment providing free internet.

A protected wifi network is easy to distinguish from an unprotected network. This is because you will usually need to ask the wifi hotspot provider for the password in order to connect.

If in doubt, ask the establishment you are visiting for the name (SSID) of their wifi hotspot. This will ensure that you are connecting to the genuine hotspot and not a copy setup by a hacker.

If a hotspot is password protected, it should also have been set up with proper WPA2 or WPA3 encryption. This encryption protects your data against being intercepted in transit when it passes from your device to the wifi router.

If you are unsure whether you are using an adequately secured wifi network, select the wifi network you are using in your settings, and then click Properties. Next to Security it will display WEP or WPA2 if the network is protected. If the network does not display WPA or WPA2 then you are at risk of having your data intercepted.

3. Be suspicious if you get kicked off public wifi

Hackers who set up Evil Twin hotspots often use cunning methods to trick people into connecting to their fake hotspots. By flooding a legitimate access point with de-authentication packets, they can cause users to be kicked from that wifi network.

This often causes users to open their wifi settings and reconnect. At this point, some users may accidentally connect to an Evil Twin that the hacker has set up with the same SSID (name) as the genuine hotspot.

So, remember, if you are ever suddenly kicked from public wifi, remain suspicious and take care only to reconnect to the real hotspot. Consider whether you are being asked for the password needed to join the real network. If you aren’t redirected to the usual login portal and asked for a password, it could be an Evil Twin.

4. Do not log in to personal accounts

When you use public wifi you can vastly reduce the dangers involved by avoiding logging into any private accounts. Public wifi can be useful for playing mobile games, checking the weather, getting directions, making web searches, and other harmless tasks.

Generally‌, however, it is better not to log in to your personal accounts, and it is extremely important not to enter payment details or access financial services like internet banking.

The important thing to remember is that during an Evil Twin attack, only the data you access and the accounts you log in to are at risk. So if you avoid using sensitive personal accounts, you shouldn’t run the risk of exposing them to hackers if you do accidentally join a dangerous network.

5. Stick to HTTPS websites

HTTPS websites are protected with the robust Transport Layer Security (TLS) protocol. HTTPS websites and online services provide robust end-to-end encryption for your data. This ensures that your data is protected against eavesdroppers in transit and means that data transmitted from your device to the website is safe.

The important thing to remember is that the “S” in HTTPS stands for “secure.” This makes those HTTPS sites much safer than websites that have the HTTP prefix. For this reason, it is important to stick to HTTPS websites, especially if you are using public wifi.

A quick way to check whether the website you are using has a valid TLS certificate is to look for the lock on the left-hand side of the URL in your browser:

This lock is only present on websites that use HTTPS. Finally, consider installing a browser extension like Force-TLS or HTTPS-Everywhere. This will help you visit the HTTPS version of a popular website if it is available. However, bear in mind that these apps are not foolproof, so take care and monitor the URLs you visit.

6. Use two-factor authentication

By setting up two-factor authentication for your online accounts, you ensure it is impossible to log into your accounts without both a password and the authentication code that is sent to your physical device (either by text or in a 2FA app like Google Authenticator). This takes the pressure off you by increasing your security and making it less concerning if a password becomes compromised.

As an added tip, remember to update your passwords regularly and use a secure password manager to make ‌remembering complicated passwords easier. Remember that a truly secure password will be unique. So don’t re-use passwords across multiple accounts because it will give hackers access to multiple accounts if your password is compromised.

7. Use a VPN

A VPN is an online service that is designed to give you online privacy and security. It works by protecting your data inside an encrypted tunnel. The VPN’s encryption completely scrambles your data as it travels from your device and over the internet to the remote VPN server location.

The security provided by a reliable VPN makes it impossible for local network administrators, Internet Service Providers, hackers, or other eavesdroppers to see what you are doing online.

The benefit of a VPN is that it becomes impossible for attackers to read any data as it passes over wifi. A VPN means that even if you accidentally connect to an Evil Twin hotspot, the hacker will not be able to monitor your web visits or steal your data.

We still recommend avoiding unprotected wifi networks and following our other tips in order to prevent yourself from accidentally connecting to an Evil Twin hotspot. However, if you always use a VPN, it will protect you against having your data stolen in an Evil Twin attack. This makes a VPN the #1 security tool for using public wifi.

8. Enable your firewall and use an antivirus

Every time you connect to the internet you are potentially exposing yourself to the threat of cyberattacks and hacking.

Whether you use public wifi, or you connect to the internet at home, we strongly recommend that you always enable a reliable firewall that actively monitors all inbound data packets to ensure they are safe. The very best firewalls also monitor outbound traffic to prevent serious malware infections like Trojans from being able to communicate with Command and Control servers.

In addition to a strong firewall, it is vital that you use an antivirus program with active malware scanning and real-time protection. This will scan all incoming packets for malware and prevent you from installing any dangerous exploits, or being victimized by drive-by payloads.

Evil Twin attack FAQs

What are some common signs that I might be connected to an evil twin hotspot?

There are several things you can watch out for to identify evil twin networks:

  1. Network name (SSID): Pay attention to the name of the Wi-Fi networks you connect to. If you notice a network with a name that closely resembles a legitimate network you usually connect to, or two similar networks in the same location that causes confusion about which to use this could be a sign of an evil twin. Attackers often create fake networks with similar names to trick users into connecting.
  2. Weak or no password: If the network you’re connecting to has a weak password – or no password at all – this is cause for concern. Most legitimate networks have security measures in place, and a lack of proper authentication may indicate that you are connecting to an evil twin network.
  3. Unexpected login screens: When connecting to a network, if you’re presented with unexpected login screens, especially those requesting personal information or login credentials, this is a huge red flag. Legitimate networks typically don’t prompt you for personal information unless it’s a known captive portal like in hotels or airports.
  4. Unusual behavior or errors: If you experience unusual network behavior, frequent disconnections, or encounter error messages while connected to a Wi-Fi network, it could indicate an evil twin attack. Attackers may try to redirect your traffic or intercept your communication, leading to these connectivity issues.
  5. SSL certificate warnings: If you receive SSL certificate warnings or security alerts when visiting websites that usually load without issues this could be a sign that your traffic is being exploited by a Man in the Middle Attack. Evil twin attackers often intercept secure connections to gather sensitive information causing errors ad warnings.

It’s essential to exercise caution and always attempt to verify the legitimacy of Wi-Fi networks before connecting. Always connect to trusted networks, use a VPN for added security, and be cautious when entering personal information on public networks. Try only to use services that require personal information on private networks whenever possible.