Beware the "Evil Twin" Wi-Fi Hotspot

Tue Mar 20, 2007 3:17AM EDT

See Comments (197)

Hop into Starbucks or an airport terminal and you may find yourself tempted by the inexpensive Wi-Fi service offered. Fire up your computer, browse the wireless networks available, and maybe you'll jump on a network named "tmobile" or "wayport" or some other common name among Wi-Fi service providers. Sure enough, your browser pulls up a page asking for your credit card information... or maybe you'll find yourself with "free" access to the internet. Surprise: You might have just been punk'd by a hacker.

Such is the case of the "evil twin" hotspot, a rising danger for users who rely on public hotspots for internet access. The trick is simple: A hacker just creates a hotspot with the same name (or a very similar one) as a legitimate hotspot nearby, hoping to dupe web surfers into connecting to the hacker hotspot instead of the legitimate one. The goal is the usual fare: Collect user names, passwords, credit card numbers. All the good stuff.

The Los Angeles Times notes that such lookalike networks are on the rise, and though this scam has been around for many years, it seems to be rising in popularity. My hunch? Wireless routers have better range than ever before, and it's practically child's play to set up a harvesting web site to dupe people into giving up their personal information. And since your laptop will automatically connect to any network you've connected to in the past (Windows thinks any network named "linksys" is the same network no matter where you go), people can be duped by evil twin hotspots without ever knowing it.

So what can you do about it? Sadly, not a lot, and all that security software on your laptop won't help you one bit if you willingly connect to one of these hotspots. As with most scams, diligence is your best ally: Learn what legitimate hotspot web pages look like. Hackers rarely make a perfect copy. If you encounter anything out of the ordinary, disconnect from the hotspot immediately. Tell the manager of the establishment you're trying to connect to that something funny is going on. They may not do anything about it, but hopefully they'll call the cops and encourage them to track down the signal.

LINK: Ensnared on the wireless Web

Comments on Beware the "Evil Twin" Wi-Fi Hotspot

Post a Comment

Join in the discussion. Here you'll see the comments in the order they were posted.

  • 26 Posted by fontechevade on Thu Sep 3, 2009 4:01PM EDT Report Abuse

    These trick could be used to get you to upload clickbots and spyware on your laptop. See http://clickscoring.blogspot.com

  • 27 Posted by rojobaron@sbcglobal.net on Thu Sep 3, 2009 8:49PM EDT Report Abuse

    Just another example of our "how much can you steal" society. What a shame that we have diverged so much from the "How much can I earn" philosophy. Thank you liberal entitlement mentality.

  • 28 Posted by sherrymazzetti1@prodigy.net on Thu Sep 3, 2009 9:19PM EDT Report Abuse

    Help! I just bought a laptop (still in the box)that is WiFi certified to replace my old Windows 98 PC. I currently have Yahoo! dial-up but plan to change next month to high-speed. In ten days, I will traveling and stay in a popular chain hotel that advertises free wireless internet. What, if any, info will I have to give the hotel, (or will they also supply me with a password)? I know this sounds like a dumb question, but will I be able to access my Yahoo! e-mail by signing in myself? Any advice is welcome. I am a newbie to the idea of wireless.

  • 29 Posted by jbpwatercolor@sbcglobal.net on Thu Sep 3, 2009 4:30PM EDT Report Abuse

    #34 Sherry, I am not sure how your laptop will work. This is how mine works: XYZ Inn has the password with instructions in their guest guide book in the room. You won't need to tell them anything. When you start your computer, you will get a notice in the lower right corner of your screen that a network(s) has been detected, that it is UN-secure, Do you want to connect (You may need to select a network with your mouse. Some hotels have several to cover the entire building)? If UN-secure is OK with you, click OK. Start your browser. It will open to the XYZ Inn webpage, something like "XYZINNNet" with their Terms of Service. If their terms are OK with you, click I ACCEPT. Now enter "Yahoo.com" or whatever is your Home Page and do whatever you normally do. Hope this helps.

  • 30 Posted by teengamer@sbcglobal.net on Thu Sep 3, 2009 9:59PM EDT Report Abuse

    Its very simple to not get your credit card number by these people just dont put it in. It is that simple, and try to find the ligit providers as soon as you can so you know who to stick with. This is why i dont shop online... _

  • 31 Posted by jonat1992@sbcglobal.net on Thu Sep 3, 2009 4:40PM EDT Report Abuse

    i think u should check the url wen surfing phishers make copies of the page but its not the same page so if ur on bestbuy.com and the url says something different ur most likely on an unsecure link

  • 32 Posted by m_e_meyer@sbcglobal.net on Thu Sep 3, 2009 7:32PM EDT Report Abuse

    Ironically, all of the above comments (and proposed solutions) are now being viewed and considered by the criminals themselves. The real problem is that the hackers have more resources (time) and have a greater incentive. Companies (M.S. etc.) generally need to limit their cost (for profitability)on issues of security. For any system to be truly secure, these companies need to re-evaluate what happens when hackers are caught. Criminals have a different mind ideally suited to finding ways around security measures. Instead of prosecuting these individuals they need to give them full time jobs as company hackers. As for the WiFi issue in general it seems to me that the system in general should have a booby-trap in place to catch hackers. Why not have a comp set up to primarily search for this bogus connection? The system could be set up to continually change it's identity etc. It could even have ligitimate accounts and credit card numbers etc. Let the hacker spend and receive purchased merchandise. There would be no way the individual could get away with the stolen goods if they didn't know they were being tracked. The problem with most security systems is that they are too easy to identify. Take for example the anti-shoplifting gates at stores, everyone knows how they work. If the system wasn't visible (including the merchadise tags) criminals wouldn't be divising a work-around for the invisible system. Better yet, leave the current system in place (with the second invisible system) so that thieves think they have thought of everything. Just my thoughts

  • 34 Posted by commorancy on Thu Sep 3, 2009 3:28PM EDT Report Abuse

    My original post stated 'common sense'. It is common sense that if you're sitting in Starbucks, in an airport or anywhere other than on your own home network, that that foreign network is, by default, untrusted. It doesn't matter if the entry door states 'HotSpot Powered by T-Mobile', it's still untrusted. Therefore, you should never divulge credit card or personal information. I was not blind to the fact that hackers set up 'pretend' but very convincing sites. My point is that you should never trust any remote/foreign access point with credit card or other sensitive data. It doesn't matter if Verizon set it up or some hacker. Don't trust it. Give out your credit card data at home from equipment and networks you trust. Or, alternatively, call the number printed on your bill or in the phone book and have an account set up that way. Better, go to a store and have them do it there. With remote networks, there are many reasons (not even including hackers) why not to trust that network even if it says 'Powered by T-Mobile'.

  • 35 Posted by bir_bln on Thu Sep 3, 2009 3:08PM EDT Report Abuse

    "Common sense" is the word here. Who in the right mind will be giving out credit card and personal information for wireless internet? Seriously, If you do not own the wireless internet the owner will put encryption on it. If there is no encryption, it is free. That is a simple a logic. A wireless gateway without encryption asking you for your credit card, is like a random stranger from the street asking your credit card to buy himself some stuff. People falling for this scam are definitely not responsible with there own credit card and may be they do not deserve a credit card at all.

  • 36 Posted by thenoams on Thu Sep 3, 2009 10:04PM EDT Report Abuse

    I'm not sure if it helps or not, but I turn off "Remote Assistance" and make sure that all my fire walls are up. Also I only use trusted Wi-Fi locations that give you the pass word to log onto there site. Most places I go to change the password everyday @ least twice. This may help in your travels. Don't be afraid to ask if the connection is secure. Most place want your buisness and are willing to help in any way to keep you coming back. I also offer free Wi-FI to clients who come into my shop. I will be posting this article not to scare them, but to let them understand the risk they take when logging on to the net. I have read most of the comments and all are good advise. Please be careful out their in syberworld .

  • 37 Posted by gmyachtsman on Thu Sep 3, 2009 4:10PM EDT Report Abuse

    A lot of the problem is with the hotspots iteself -- they don't have any sign saying the name of their hotspot signon. So you are left to guess which of the several ones it could be.

  • 38 Posted by kylefish2001 on Thu Sep 3, 2009 4:55PM EDT Report Abuse

    They don't even need a wireless router to do this. They can create an ad-hoc network on their laptop (which has no internet connection) and then set-up a fake page. USE COMMON SENSE WHEN SELECTING A WIRELESS NETWORK. If you do that, and don't use Internet Explorer, you will be just fine.

  • 40 Posted by britboymei on Thu Sep 3, 2009 3:13PM EDT Report Abuse

    Try this, it can't hurt http://www.anchorfree.com/hotspot-shield/

  • 41 Posted by el_guapo_the_superb on Thu Sep 3, 2009 3:54PM EDT Report Abuse

    Is it possible that the establishment offering the Wi-Fi could post the number of hotspots, so that when your computer takes count you can verify that there are the same amount? That way you can determine whether there is an extra network popping up. This, if possible, could deter hackers because it would be public knowledge how many networks you should be seeing. Just a thought.

  • 42 Posted by pspbeyond on Thu Sep 3, 2009 8:20PM EDT Report Abuse

    Will they be able to get the passwords off of the Sony PSP system.

  • 43 Posted by nightsoflondon on Thu Sep 3, 2009 7:38PM EDT Report Abuse

    If yahoo uses this cheap trick to bring you here and show you laptops why is so strange that people withou money try to steal you properly?, big companies with shares and millions on daily revenue use all kind of tricks for selling, they have no moral to criticize or feel scandalized at all for the rest of mal practice in the internet.

  • 44 Posted by bigdaddy7255 on Thu Sep 3, 2009 3:06PM EDT Report Abuse

    Quite simply though, you are never 100% safe unless you take precautions. You can be on the lookout for fake wifi setups, but just to be sure 1) Don't access sensitive information while connected to hifi hotspots. If you are really needing to, find a landline to access or a desktop PC. 2) Don't buy things or access credit card data EVER when using wireless connection, especially at a wifi spot that is unsecure like a free network at Starbucks (or a fake one) even if you are sure its Starbucks, its easier just not to risk it. If people would just use common sense a lot less of this stuff would occur..

  • 45 Posted by fantasticankle on Thu Sep 3, 2009 3:58PM EDT Report Abuse

    Very clever. Taking advantage of people who can't bear to be offline for the time it takes them to sip on an over-priced latte. You go bad guys. Obviously, mobile companies will profit from this as more people sign up to avoid such scams. Hey, maybe they sponsored this story. Christopher, why do you have to have your laptop in your photo?

Post a Comment

Sign In to Post a Comment

My Tech

Please enable your browser's cookies to activate the My Tech column.

Also on Yahoo! Tech

Computers Home Office Wi-Fi & Networking Phones & PDAs Cameras & Camcorders TV & Home Theater Portable Audio
 

Site Map | Tour | Subscribe to Yahoo! Tech

Question and Answer content at Yahoo! Tech is written by Yahoo! users at Yahoo! Answers. Yahoo! does not evaluate or guarantee the accuracy of any Yahoo! Answers content. For more information, read the Full Disclaimer.

Opinions expressed by the Advisors are their own and do not necessarily reflect the views of Yahoo! Inc. Yahoo! receives no compensation from any manufacturer or distributor nor does it compensate any Advisor for the coverage of any product or service in any Advisor's content.