Evil Twin Attack: What It is and How to Detect It?

Abeerah Hashim  - Security Expert
Last updated: May 10, 2023
Read time: 8 minutes Disclosure

Evil twin attacks are relatively cheap and practical tools for hackers. They are hard to detect and very destructive when they succeed. So it's essential to be aware and proactive to stay safe.

Public wifi hotspots can be very dangerous because they set up the stage for hackers to perform evil twin attacks. This kind of attack can be highly harmful to the victims. But you can remain safe by being aware of these threats, adopting proactive safety measures, and, above all, adopting a VPN.

Taking advantage of the ubiquitous wifi hotspots you find when you’re shopping, traveling, or just going out for a cup of coffee is perfectly natural. It’s practical and convenient, which is the point of such technology. However, public wifi hotspots are probably the riskiest digital environment you can find. Evil twin attacks are one of the factors that make them so dangerous, so it’s a good idea to learn what they are and how you can protect yourself.

Evil twin attacks: What are they?

Imagine that a hacker in a public wifi network sets up a wifi fake access point that mimics an authentic one near it. That’s an evil twin attack. As the users connect to the phony node, all their traffic goes through a computer in the hacker’s hands, so he becomes privy to everything the user does online.

Hackers don’t need many resources to develop an evil twin. Even a smartphone will do the trick as long as it has the right software in it. Evil twin attacks are most frequent in public wifi hotspots.

The mechanics of an evil twin attack

So let’s initiate you in the arcane arts of evil twin attacks. Here is how they work:

Finding the right spot

The attacker starts by finding a good place to set up the shop. This would be a busy place, popular, and with known public wifi access. So airports, hotels, libraries, and coffee houses fit the bill. Even better, from the hacker’s point of view, these places often offer multiple nodes with the same name, making the evil twin’s existence even harder to detect.

Setting up the wifi access point

The next step is to have a look at the local traffic to notice the names of the legitimate networks or their Service Set Identifier (SSID). Then you set up another access point using the exact name of one of the surrounding SSIDs. This new node can be a smartphone, a laptop, a tablet, or a portable router. The hacker also has the option to use a wifi pineapple to increase its range. Any device that connects to the evil twin can’t tell the difference.

Encouraging users to use the evil twin

If the hacker moves closer to a given user in the environment, the evil twin’s signal will be much stronger for that user. So naturally, that’s an incentive to connect, and many devices are configured to pick the most vital signals by default.

Setting up a fake portal

Most public wifi services will take you to a portal in which you need to provide some credentials before you can go ahead and surf the web or do anything else online. Unfortunately, hackers will mimic this portal to have the users provide them with login credentials and other data.

Stealing the data

If you connect to one of these fake spots, the hacker becomes your ISP. Then, the attack moves to the next step, known as “Man in the middle.” Finally, the hacker monitors all your traffic. So if you log in to your Facebook account, the hacker will have the means to retrieve your login and password.