There is a growing new trend in identity and account theft for those who do their business online whether personal and professional. They are referred to as Evil Twin attacks. The colorful name sounds like something right out of a horror movie, which is appropriate since those unlucky enough to fall victim to this scam could easily find themselves living in a nightmare.
Wireless networks, and our growing dependence on their availability, are at the heart of these Evil Twin attacks. If you were out and about and wanted to log onto the internet from a laptop, you’d need to find a wireless network. Initially they were offered for small fees at places like coffee shops, bookstores and hotel lobbies; after paying a nominal fee the user would be provided with a password. Logging in was a breeze and the whole enterprise was safe and secure. Recently, however, the trend is to free wireless hotspots.
Last year saw a dramatic increase in wireless network usage. Wi-Fi Planet recently reported on the growth, noting that inter-city travel venues, such as hotels and airports, saw 28% growth through the end of 2008. The year-on-year growth number for train stations and ferries was a whopping 79%. Wireless connections in public places more than tripled in 2008 with most sessions lasting up to three hours.
In 2009 the numbers are expected to jump exponentially, driven by the growing popularity of next generation telephones, specifically the iphone and its smartphone competitors. Whether connecting to the internet, checking email or playing games, most of the special features on these phones are predicated on data being sent and received via these wireless networks. As their popularity grows, so too does usage of free wireless networks.
Mobile devices using wireless hotspots also grew 79% in the first half of 2009, according to a survey conducted by wireless media company JiWire as reported in iphone.tmcnet.com. Their findings show that in addition to checking emails and surfing the net, 38% make an online purchase during their sessions. Of these users, 40% are in management positions who are business decision makers, and 44% work in small to mid-sized companies.
These numbers point to a growing target for industrious internet scammers, and the Evil Twin attacks are the newest tool they are perfecting.
The way an Evil Twin attack works is pretty simple. The hacker physically sets up shop in an area where free wireless access is provided. It could be a café, airport lounge, student community area or hotel lobby, you name it. Using a laptop and a wireless card, they can create their own access point and make it appear legitimate by giving it a name similar to the establishment where they are located.
Whether the user is on a laptop or smartphone, when accessing a free wireless they are often presented with a list of available networks. Since it’s originating from the hacker’s computer just a few feet away, the Evil Twin network will often be a stronger connection and at the top of the list. Coupled with a legitimate-sounding network name, it’s a natural choice for the victim’s access point.
Once they are using the Evil Twin, all the business they conduct is eavesdropped on. Emails, log on names and passwords, credit card purchases. The con man might as well be standing over the victim’s shoulder and taking notes. They can watch and even re-direct the user to dummy websites without their knowledge.
For example, if you are surfing the internet and go to log into your online bank page, the hacker can have a dummy page set up that looks exactly the same. Even though you accessed the link via your list of favorites, instead of going to chase.com you will unknowingly be re-directed to chase1.com. If you don’t realize and enter your log in information, the hacker now has whatever you enter into any forms.
The number of Evil Twin attacks is rising, but it’s hard to gauge the numbers. Most who offer free wireless hotspots are ignorant of the attacks. Even if they are aware, advertising just how vulnerable their location might be is not good for business, and they choose not to report. Victims often don’t even realize themselves that they have had their information stolen, as the hackers will often wait to utilize the data they’ve gleaned making them nearly impossible to catch.
The scammers are counting on the fact that you are in a public place and surrounded by the distractions therein to take advantage. They are hoping you aren’t paying the attention to details like you would at home. Here are some ways to stay protected:
Dialog Boxes: Your computer or phone will often let you know if the site you are visiting is unencrypted. Pay attention to these warnings. In the past you might have gotten a similar warning and checked the box saying never remind me again. If you checked that box, you might be at risk and should consider reloading your browser software.
Don’t share your business: Try not to conduct any online business in public that you wouldn’t feel comfortable sharing with others. If the idea of perusing your bank account with someone watching over your shoulder bothers you, then the safest bet is to save this business for when you are at home.
Web Only Credit Card: If you find yourself making a lot of online purchases it might be a good idea to apply for and set up a credit card account solely for this purpose. It could be an account you could monitor regularly online, and be prepared to close on short notice if you’ve been hacked.
Wireless Setting: Many laptops and smartphones are set to automatically seek and hook up to the strongest available wireless connection. This is money in the bank to someone trying an Evil Twin attack. Always choose your connection manually and look at the names. If you aren’t sure of the connections authenticity, check with the establishment where you are located. They will know which wireless connections are actually their own and which are not legitimate.
We are living in an exciting new age of information access and personal convenience. As these systems continue growing and evolving, those who utilize them present particularly inviting targets for the most cunning of con artists. Don’t be fooled into a false sense of security, because in the majority of cases we really can protect ourselves. As with all scams, awareness of the situation and applying a bit of common sense goes a long way towards avoiding being victimized.