Beware the "Evil Twin" Wi-Fi Hotspot
Tue Mar 20, 2007 3:17AM EDT
See Comments (197)
Hop into Starbucks or an airport terminal and you may find yourself tempted by the inexpensive Wi-Fi service offered. Fire up your computer, browse the wireless networks available, and maybe you'll jump on a network named "tmobile" or "wayport" or some other common name among Wi-Fi service providers. Sure enough, your browser pulls up a page asking for your credit card information... or maybe you'll find yourself with "free" access to the internet. Surprise: You might have just been punk'd by a hacker.
Such is the case of the "evil twin" hotspot, a rising danger for users who rely on public hotspots for internet access. The trick is simple: A hacker just creates a hotspot with the same name (or a very similar one) as a legitimate hotspot nearby, hoping to dupe web surfers into connecting to the hacker hotspot instead of the legitimate one. The goal is the usual fare: Collect user names, passwords, credit card numbers. All the good stuff.
The Los Angeles Times notes that such lookalike networks are on the rise, and though this scam has been around for many years, it seems to be rising in popularity. My hunch? Wireless routers have better range than ever before, and it's practically child's play to set up a harvesting web site to dupe people into giving up their personal information. And since your laptop will automatically connect to any network you've connected to in the past (Windows thinks any network named "linksys" is the same network no matter where you go), people can be duped by evil twin hotspots without ever knowing it.
So what can you do about it? Sadly, not a lot, and all that security software on your laptop won't help you one bit if you willingly connect to one of these hotspots. As with most scams, diligence is your best ally: Learn what legitimate hotspot web pages look like. Hackers rarely make a perfect copy. If you encounter anything out of the ordinary, disconnect from the hotspot immediately. Tell the manager of the establishment you're trying to connect to that something funny is going on. They may not do anything about it, but hopefully they'll call the cops and encourage them to track down the signal.
Comments on Beware the "Evil Twin" Wi-Fi Hotspot
Post a Comment
Join in the discussion. Here you'll see the comments in the order they were posted.
-
2 Posted by todd2themax on Thu Sep 3, 2009 10:14PM EDT Report Abuse
Better yet, use your cell phone internet access. It is relatively cheap and can be used anywhere. Contact your provider on what you need. It is a little more to do to connect but the security is worth it.
-
3 Posted by wnchstr.pd@snet.net on Thu Sep 3, 2009 10:49PM EDT Report Abuse
Famous old saying, " the trouble with common sense is that it's not to common."
-
4 Posted by swhhohs on Thu Sep 3, 2009 9:52PM EDT Report Abuse
Yeah, but as the article pointed out, it may also be free and they can still phish your log-in IDs and passwords while you're connected, which may or may not lead to sensitive material. So, it may be common sense not to give out your credit card number, but even if it never asks for that you could still end up being victim to having personal information stolen. I think the best line of defense is that you carefully look at all available connections and choose one manually, rather than allowing your computer to automatically connect to the first one it finds. If two connections identify themselves the same way, I would be extra careful and maybe ask someone which one is legitimate.
-
5 Posted by magesto@pacbell.net on Thu Sep 3, 2009 7:03PM EDT Report Abuse
The last commentator is missing the point of the article. Some hackers use the actual name of the hotspot you are trying to connect to. Also common sense is not everything in the computer world. Many people do not understand or even try to understand the complex workings of a computer especially when it comes to Wi-Fi. Lastly major hotspots require you to give them your username and password. A good practice is to log onto the hotspot from a secure connection before you go to the location with the internet hotspot and set up an account that way. Then when you go to log on all you have to do is enter your user name and password. If you feel you entered a site that is a fraud, go to a secure connection and change your password immediately. At least they don't get your credit card number and if you call the hotspot they may give you a credit on your account.
-
6 Posted by laohuli@sbcglobal.net on Thu Sep 3, 2009 4:56PM EDT Report Abuse
I agree with Comment 1. In this "Gotta have now" times, it can turn into "Gonna Get Ya Now" if common sense isn't used.
-
7 Posted by palmer67114 on Thu Sep 3, 2009 7:48PM EDT Report Abuse
Locally, one of our HotSpots has a SiteWord on their login page. The main banner says to check the word displayed on the blue sign above the cash register. If they don't match, do not log in and provide personal info. Whoever is working the register that day will usually change the sign and the Banner every four or five hours. I know they have more than 10 different words they use. I suppose it would still be possible for someone to come in and check the sign and then set up their fake site accordingly, but that seems like more work than most of the bad-boyz are willing to put in
-
8 Posted by jrtracy@sbcglobal.net on Thu Sep 3, 2009 4:42PM EDT Report Abuse
In my next incarnation, I am going to be a criminal. It is a lot easier than fending them off (or working for a living).
-
9 Posted by keith.napa@sbcglobal.net on Thu Sep 3, 2009 4:48PM EDT Report Abuse
Does anybody know if you have your browser set to automatically log into your isp or favorite site, ie: netflix, etc, can the hacker collect that information? I always use the "remember me" options thinking I was safe. But now I wonder.
-
10 Posted by trloyalist on Thu Sep 3, 2009 10:21PM EDT Report Abuse
I agree with you about the common sense aspect of this problem, but phishers, hackers, and phreakers are smarter than they used to be. They get a thrill out of creating webpages so real that they can dupe the most common-sense among us. All it takes is a bit of capitol to purchase servers, or to pirate them, and a 10 minute learning curve in JSP and HTML. You can make a webpage that uses SSL, looks like "the real deal," & has a domain name nearly identical to the site it seeks to imitate, even though the IP address looks nothing like it. I should know. I've created these webpages before - I did several imitation websites as a project in computer science class in grad school (on a private server used for the class) with the goal of duping the students into giving up "personal information," (although the information wasn't real and wasn't used in any malicious manner). About 80% of the students were easily duped by a handful of websites it only took me about 3 hours to perfect. The thing is, most people in the developed world do not care how their technology works - as long as it works. And they are paying for that stupidity with their pocket books. This one project I did in grad school could easily have launched into a master's thesis in techno-sociology: people, in general, don't care about what makes science or technology tick - they only care how it can serve them. There are plenty of people out there who are not doing these kinds of things for a class project. So I implore all of you: spend a Saturday or Sunday afternoon on www.howstuffworks.com or a similar site and learn about IT, the web, phishing, & hacking. If you don't get smart about this stuff, you're going to get taken advantage of. And if you do feel you've been duped, contact your local law enforcement and get pointed in the right direction.
1 Posted by commorancy on Thu Sep 3, 2009 3:28PM EDT Report Abuse
I think this article rates on the order of common sense. If you attach your computer to an unknown and, more importantly, untrusted access point and then a browser pops up requesting your credit card number, you can very easily be hit with fraud or, worse, identity theft. In fact, you should never give out credit card or other sensitive financial or identifying data when connected to untrusted networks.