An Australian man has been charged by the Australian Federal Police (AFP) for allegedly carrying out ‘evil twin‘ WiFi attacks on multiple domestic flights and at airports in Perth, Melbourne, and Adelaide to steal email and social media credentials.
The investigation began in April 2024 after airline employees reported suspicious activity. Police discovered evidence of the man’s malicious activities by examining devices seized at the airport.
Evil Twin WiFi attack
An evil twin WiFi network is a fraudulent wireless access point that mimics the SSID (WiFi network name) of a legitimate network. For instance, many flights offer in-flight WiFi, prompting passengers to connect to the airline’s network.
In an evil twin attack, a cybercriminal sets up a WiFi network that appears identical to the one provided by the airline.
When users try to connect, they are redirected to a fake login page or captive portal, prompting them to enter email addresses, passwords, or other credentials.
In the case of the Australian arrested by the AFP, he allegedly used a portable device to create free WiFi access points at multiple locations, requiring users to log in with their email or social media accounts.
He collected this information to potentially access more sensitive data, hijack social media accounts, extort victims, or sell it to other cybercriminals.
“AFP cybercrime investigators have allegedly identified data related to the use of fraudulent WiFi pages at airports in Perth, Melbourne and Adelaide, on domestic flights, and at locations linked to the man’s previous employment,” explains the AFP.
The investigation into the post-exploitation activities and the extent of the man’s operation is ongoing.
The suspect faces several criminal charges:
- Unauthorized impairment of electronic communication, with a maximum penalty of 10 years in prison.
- Possession or control of data with intent to commit a serious offense, with a maximum penalty of 3 years in prison.
- Unauthorized access or modification of restricted data, with a maximum penalty of 2 years in prison.
- Dishonestly obtaining or dealing in personal financial information, with a maximum penalty of 5 years in prison.
- Possession of identification information with intent to commit an offense, with a maximum penalty of 3 years in prison.
Malicious or untrustworthy WiFi access points are always a risk in public spaces. Users should be cautious about sharing their login credentials and are advised to turn off file sharing on untrusted networks and use a VPN to encrypt internet traffic and protect sensitive information.
Not a common attack
While it is not unheard of for threat actors to conduct WiFi attacks, cybersecurity researcher Daniel Card warns that evil twin attacks are not a significant concern for most people.
“This kind of attack is totally possible, as we do it in labs and as part of security testing/training, but it’s rarely seen in the wild,” Card told. “It’s close proximity phishing. Out of all the incidents myself and friends deal with, I’ve never seen or heard about this in the wild other than when used by GRU (or at hacker conferences as a demo/joke/CTF). Outside of GRU (who also got caught), I have only heard of one other case.”
Card is referring to the 2018 indictments of Russian state-sponsored GRU hackers who conducted evil twin attacks to monitor targets’ internet traffic.
He acknowledges that advising people not to use WiFi is unrealistic, as the need to stay online, especially on long trips, is crucial for employees and students.
Instead, Card emphasizes that usernames and passwords are flawed authentication mechanisms, highlighting the importance of multi-factor authentication (MFA) and robust security standards to protect our accounts.
Source: BleepingComputer, Bill Toulas
