FlagHack logoFlag{Hack} Coming Soon

Evil Twin Attack

An Evil Twin Attack is a type of wireless cyber-attack where a malicious actor sets up a rogue Wi-Fi access point that mimics a legitimate network. The purpose is to deceive users into connecting to the fake network, enabling the attacker to intercept data, monitor communications, or steal sensitive credentials.

These attacks are particularly dangerous because they are difficult to detect. The rogue access point often uses the same SSID (network name) as the trusted Wi-Fi network and may have a stronger signal, tricking users into connecting to it without realizing they are being duped.

Variants

Evil Twin Attacks can take different forms depending on the attacker's objectives and tools used:

  • Open Network Clones: The attacker replicates a public, open Wi-Fi network (like those in cafes or airports). Since no authentication is needed, victims connect easily and are unaware of the threat.
  • Captive Portal Phishing: The attacker sets up a fake login page that appears when a user connects. It mimics a real login portal and captures usernames, passwords, or other credentials.
  • Man-in-the-Middle (MitM): After users connect, the attacker can intercept and manipulate traffic, harvest session cookies, and monitor secure communications—even HTTPS—using SSL stripping or DNS spoofing techniques.

Types

Based on Authentication & Encryption

  • Open Evil Twin: No password is required to connect. Typically used in places where users expect free Wi-Fi. These are easy to set up and often used for mass surveillance.
  • WPA2 Evil Twin: The attacker clones a secured Wi-Fi network, including the password. Tools like Wi-Fi Pineapple or Airbase-ng are used to mimic authentication behavior and lure users from the real AP.

Based on Attack Objective

  • Credential Harvesting: The fake access point leads users to phishing pages where login credentials, banking info, or corporate intranet data can be stolen.
  • Traffic Eavesdropping: All data transferred through the network is captured and analyzed for sensitive information such as email contents, session tokens, or private messages.

Impact

Evil Twin Attacks can have significant consequences. Personal users may experience identity theft, account breaches, or financial fraud. For businesses, stolen credentials can result in corporate espionage, data breaches, and regulatory fines. The stealthy nature of these attacks also means the damage may go unnoticed until it is too late.

Discoverability

Detecting Evil Twin attacks is challenging because the rogue access point often appears identical to a legitimate one. However, sudden disconnections, repeated login prompts, or certificate warnings can be red flags. Enterprise environments can use Wireless Intrusion Detection Systems (WIDS) to monitor for duplicate SSIDs, rogue access points, and abnormal signal behavior.

Protection

  • Use VPNs: A Virtual Private Network encrypts all outgoing and incoming data, even on compromised Wi-Fi.
  • Verify Network Names: Avoid connecting to suspicious or duplicate networks, especially in public areas.
  • Use Secure Websites: Always ensure HTTPS is present when submitting sensitive information.
  • Enable 2FA: Multi-factor authentication can protect accounts even if credentials are compromised.
  • Use Endpoint Security Tools: Advanced endpoint detection solutions can flag suspicious network activity and unauthorized AP connections.