The Australian Federal Police (AFP) has charged an Australian man with carrying out “Evil Twin” Wi-Fi attacks at several domestic airports and airports in Perth, Melbourne and Adelaide to steal other people’s email and social media credentials.
Police began their investigation after receiving a tip from an airline employee in April 2024, and after examining his devices seized at the airport, they found evidence that the man was engaging in nefarious activities.
Evil Twin WiFi Attacks
An Evil Twin WiFi network is a malicious/fake wireless access point that uses the same SSID (WiFi network name) as a legitimate or expected network in a particular area. For example, many flights offer in-flight WiFi and require passengers to first connect to the airline’s WiFi network.
When cybercriminals carry out an Evil Twin attack, they set up a WiFi network under their control using the same name as one advertised by the airline.
However, users who attempt to connect to a malicious access point are directed to a fake login page or captive portal web page where they are asked to log in using an email address, password, or other credentials.
In the case of the Australian man arrested by AFP, the news agency said the suspect used his mobile device to set up free Wi-Fi hotspots in several locations and demanded users log in using their email or social media accounts.
The information he collected could later be used to access more sensitive data, hijack social media accounts, blackmail victims, or sell it to other cybercriminals.
“AFP cybercrime investigators allegedly identified data relating to the use of fraudulent Wi-Fi pages at Perth, Melbourne and Adelaide airports, domestic flights and locations linked to the man’s previous place of employment,” AFP explained.
Investigations into the post-exploitation activities and extent of the man’s activities are still ongoing.
The criminal charges against the suspects are as follows:
- Unauthorized interference with electronic communications is punishable by up to 10 years in prison.
- Managing data with the intent to commit a serious crime carries a maximum penalty of three years in prison.
- Unauthorized access to or modification of restricted data is punishable by up to two years in prison.
- Fraudulently obtaining or trading personal financial information carries a maximum prison sentence of five years.
- Possession of an ID card with the intent to commit a crime is punishable by up to three years in prison.
There is always the possibility of malicious or untrusted WiFi access points in public places, so those who need to use them should be careful about sharing other login credentials when using them.
It’s also recommended to turn off file sharing on untrusted WiFi networks and use a VPN to encrypt your internet traffic to prevent sensitive information from being captured.
It’s not a typical attack.
While it’s not uncommon for threat actors to carry out these types of WiFi attacks, cybersecurity researcher Daniel Card warns that Evil Twin attacks aren’t something most people need to worry about.
“This kind of attack is entirely possible, but is rarely seen in the wild, as it occurs in labs or as part of security testing/training,” Card told BleepingComputer.
“This is proximity phishing. In all the incidents I and my friends have experienced, I have never actually seen or heard of this technique except when used by the GRU (or as a demo/joke/CTF at hacker conferences). I’ve only heard of one other case outside of the GRU (who got caught).”
The researchers point to a 2018 indictment of Russian government-backed GRU hackers who carried out Evil Twin attacks to monitor targets’ internet traffic.
Card said telling people not to use Wi-Fi is unrealistic, as the need to stay online has become crucial for employees and students, especially when traveling long distances.
Rather, usernames and passwords are a flawed authentication mechanism, and MFA and robust security standards are needed to protect accounts, Card said.
