Evil Twin Attack: What it is, How to Detect & Prevent it

The evil twin attack takes advantage of public WiFi connections. Learn how to prevent it from reaching you and your devices.
Josue Ledesma
5 min read
Last updated June 16, 2023

As Wi-Fi has become increasingly abundant across many private and public spaces, it has become a breeding ground for malicious hackers and bad actors. One of these attacks is known as the evil twin attack, which takes advantage of individuals looking to connect to Wi-Fi via their devices.

Now that more and more companies are offering their employees the option to work remotely, organizations may find themselves unwittingly exposed to this type of attack. In this article, we’ll break down the evil twin attack and explain how to detect it and how to prevent it from doing damage.

Get a Free Data Risk Assessment

What is an evil twin attack? 

Evil twin attacks are a type of Man in the Middle (MitM) attack in which a fake Wi-Fi network is set up to steal information or further infiltrate a connecting device.

This is often done in public settings where people are most likely to look for or connect to freely available Wi-Fi. This can be in airports, cafes, large public parks, etc., but hackers can really leverage this attack anywhere, mainly because the fake Wi-Fi can be easily set up and deployed.

How an evil twin attack affects you

If successful, a hacker has essentially intercepted your internet connection, connecting you to them. This can mean the hacker can steal your login information, see sensitive details and info from the websites you visit, and even redirect certain commands and tasks.

For example, suppose you connect to a fake Wi-Fi, log into your bank account, and initiate a transfer. In that case, a hacker can see that, change the transaction details as it passes through their network, and return a legitimate receipt.

Because you don’t know you’re compromised, you wouldn’t necessarily scrutinize the receipt, and the hacker can take off with your funds.

How does an evil twin attack work?

Unfortunately, an evil twin attack is relatively easy to set up and difficult to detect due to the nature of how devices connect to Wi-Fi. Here’s how hackers do it.

Step one: Evil twin Wi-Fi setup

First, a hacker situates themselves in a prime location where people are looking to connect to free Wi-Fi networks.

Using a device like a hotspot or Wi-Fi Pineapple, they can set up their own Wi-Fi network. Using a tool like hostapd-wpe, they can impersonate any network and, given enough time, even obtain the network credentials.

To impersonate an existing connection, they’ll likely use the same SSID (the name of the network) as the one that already exists. Depending on how sophisticated they are, they can even replicate the MAC address.

Currently, devices often present only the SSID when you’re looking to connect, so it would be difficult to differentiate the real device from the impostor without looking for specific details that may flag the attack.

Step two: Captive portal setup

The captive portal is usually the separate web page or initial pop-up after connecting to a Wi-Fi network. Most often, it asks you for some details before letting you access the internet.

Hackers can set up their own captive portals to begin stealing sensitive information, so they can connect to the initial Wi-Fi network and further represent that the Wi-Fi connection is legitimate.

A tool like dnsmasq can be used to create captive portals and spoof DNS servers to increase the semblance of legitimacy.

Step three: Push victims to connect to the evil twin Wi-Fi connection

At this point, unsuspecting victims looking to connect to Wi-Fi will probably see two different connections with the same name. While they’re not likely to think twice about it (especially as most connections come in a 2G/5G pairing), a hacker still has about a 50-50 chance of successfully compromising an individual.

To increase their odds of success, they can physically move the hotspot or Wi-Fi-emitting device closer to the victims, so the connection appears first and is stronger than the real connection.

They can also flood the original connection with a denial of service (DoS) attack. This can kick off anyone connected to the real Wi-Fi while preventing others from connecting.

At this point, victims are much more likely to connect to the evil twin Wi-Fi network.

Step four: Individual, device & organizational compromise

Once the victim connects to the network, they’re shown the fake captive portal, which can be the beginning of data theft. Because the hacker can now monitor your connection, they can log keystrokes and see your activity as you browse the internet.

This can allow them to steal login details, view sensitive information, and potentially further compromise your device. Depending on the hacker’s level of sophistication, they can inject malware and ransomware that can give them remote access and control of your device even after you’ve logged off.

Existing MitM packets (created for legitimate and nefarious purposes) can be leveraged here. Hackers can deploy packet injections that can replace content on the site a victim is navigating to (for example, to direct them to a malicious website), or payload,s (in the form of malicious code, ransomware, or malware) can be deployed within downloaded files, without the victim ever knowing.

For organizations, this can be extremely concerning if the victim is using a company device or, more commonly, the device is connecting to any app, software, or is accessing any site that could then allow the hacker to infiltrate the organization.

How to detect an evil twin Wi-Fi connection

By design, evil twin Wi-Fi connections are pretty difficult to identify without specific sniffing tools. However, there are a couple of best practices to employ that can help you stay away from any fishy connections.

    • Pay attention to Wi-Fi names: Not all hackers are savvy, and some are lazy enough to set up fake Wi-Fi connections with misspelled words, so look for any obvious errors as a sign of attack.
  • Listen to any alerts: If your device warns you that a Wi-Fi connection is insecure, you’re better off not connecting to it, even if it looks legitimate.

How to prevent an evil twin Wi-Fi attack

Prevention is much more effective against this type of attack than just detection. Here are a couple of steps that can help:

  • Use a VPN: VPNs were made to prevent hackers (and anyone) from monitoring your online activity. It’s a good tool to use to stay private and secure, even if you do connect to an evil twin Wi-Fi.
  • Only browse HTTPS sites: Most browsers offer this by default, as HTTPS connections are encrypted to prevent onlookers from seeing your activity. If your browser notes that a site you’ve visited doesn’t have an HTTPS connection, navigate away from it as soon as possible.

One easy way to ensure you’re browsing on HTTPS sites is to install the HTTPS Everywhere browser extension found here. Nearly all browsers support it, and it’s a very effective way to ensure you’re browsing securely.

  • Disable auto-connect: Devices with auto-connect often do so via a Wi-Fi’s SSID, meaning it can’t differentiate between legitimate Wi-Fi networks and evil twin ones.
  • Stay away from public Wi-Fi: If possible, use a personal hotspot or one you’re sure isn’t compromised.
  • Limit your online activities: If you can’t be sure you’re not connected to a compromised Wi-Fi connection, avoid visiting sites or taking actions that, if seen, can further compromise you. Don’t log in to accounts and don’t visit sites that contain any sensitive information.

Organizations can also employ or encourage the use of wireless intrusion prevention systems (WIPS), which are designed to keep hackers from monitoring activities over wireless connections.

Cybersecurity solutions can prevent further organizational damage

Evil twin attacks can be dangerous, particularly to organizations, via unsuspecting employees. Make sure your employees know the risks so they can avoid missteps whenever possible.

Organizations that use security solutions such as network-monitoring and detection tools, and leverage network segmentation, can either spot an attacker who has made their way in via an evil twin attack or prevent them from accessing critical assets altogether.

Varonis’ Edge can help shore up your data and protect your organization against a surprise evil twin attack.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

what-is-a-man-in-the-middle-attack:-detection-and-prevention-tips
What is a Man-in-the-Middle Attack: Detection and Prevention Tips
Man-in-the-middle attacks are sophisticated spying techniques attackers use to snoop on network traffic. Read on to learn more about these MitM attacks.
what-is-dns-tunneling?-a-detection-guide
What is DNS Tunneling? A Detection Guide
Domain Name System (DNS) tunneling is a prevalent hacking method — learn how it works, the types of threats and how to detect and combat them
dhs-emergency-directive-19-01:-how-to-detect-dns-attacks
DHS Emergency Directive 19-01: How to Detect DNS Attacks
On January 22, 2019, the United State Department of Homeland Security (DHS) released a warning for a DNS infrastructure hijacking attack against US government agencies. Let’s dig into the specifics...
what-is-c2?-command-and-control-infrastructure-explained
What is C2? Command and Control Infrastructure Explained
A successful cyberattack is about more than just getting your foot into the door of an unsuspecting organization. To be of any real benefit, the attacker needs to maintain persistence…