We always wanted a twin, well not this one. The evil twin attack

An evil twin, in security, is a rogue wireless access point that masquerades as a legitimate Wi-Fi access point so that an attacker can gather personal or corporate information without the end-user's knowledge. The evil twin is the wireless LAN equivalent of the phishing scam.

This type of attack may be used to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves setting up a fraudulent web site and luring people there

So how did this happen?

A hacker sets its service identifier (SSID) to be the same as an access point at the local hotspot or corporate wireless network. The hacker disrupts or disables the legitimate AP by disconnecting it, directing a denial of service against it, or creating RF interference around it. Users lose their connections to the legitimate AP and re-connect to the "evil twin," allowing the hacker to intercept all the traffic to that device.

The attacker snoops on Internet traffic using a fishy wireless access point. Unwitting web users may be invited to log into the attacker's server, prompting them to enter sensitive information such as usernames and passwords. Often, users are unaware they have been duped until well after the incident has occurred.

When users log into unsecured (non-HTTPS) bank or e-mail accounts, the attacker intercepts the transaction, since it is sent through their equipment. The attacker is also able to connect to other networks.

Fake access points are set up by configuring a wireless card to act as an access point (known as Host AP). They are hard to trace since they can be shut off instantly. The counterfeit access point may be given the same SSID and BSSID as a nearby Wi-Fi network. The evil twin can be configured to pass Internet traffic through to the legitimate access point while monitoring the victim's connection, or it can simply say the system is temporarily unavailable after obtaining a username and password.

Sooooo, how to detect such an evil thing?

Well there is a tool developed here: https://www.darknet.org.uk/2015/04/evilap-defender-detect-evil-twin-attacks/

How to fight against such attack?

1.    Odd venues

Evil twins aren't limited to public hotspots. These attacks can occur in offices or dorms – anywhere victims might be tricked into connecting to look-alike APs. Hotspots SSIDs are just really good bait. So, if you're in your hotel room when you see an SSID that's clearly out of place – like linksys – don't connect. Better yet, disable auto-connect for saved hotspot SSIDs to avoid accidental reconnects.

2.    Ad hocs

 Public hotspots use infrastructure APs to connect many users to the Internet. The alternative – ad hoc mode – connects peers directly to each other, such as to share a printer. Many ad hocs are perfectly innocent, but if you see an ad hoc advertising a hotspot SSID, don't connect, disable ad hoc mode to avoid accidents.

3.    Disconnects

Evil twins can wait passively for users to take the bait. But real hackers would probably use free tools like aireplay to speed things up by disconnecting all users, hoping some will reconnect to the evil twin. A hotspot that keeps disconnecting and reconnecting could just be too weak or distant. But if you have strong signal and suddenly keep getting disconnected, exercise caution. For added protection, a Host IDS can be used to detect this type of "deauth flood."

4.    Free rides

If you connect to a commercial hotspot the first time and it lets you use the Internet without prompting for login or payment, you might be the lucky recipient of a free ride. Plenty of hotspots offer free Internet access, but a known for-pay hotspot wouldn't behave this way – unless you've connected to an evil twin posing as that hotspot. When a deal seems too good to be true, it probably is.

5.    Funky portals

To grab credentials and payment data, evil twins can redirect victims to fake portal login pages, which may even be copies of the real deal. If those portal pages aren't secured with SSL or trigger certificate warnings or simply look odd, keep all sensitive values to yourself. Better yet, take yourself out of the equation by using a hotspot connection manager for secure authentication without portal login.

6.    Dubious DNS

To execute man-in-the-middle attacks, evil twins can use their own DNS to redirect user traffic to spoofed application servers. For example, if a hotspot-supplied DNS resolves all Web requests to URLs that include or correspond to non-routable private IP addresses (e.g., 192.168.x.x), that's not a good sign. While this could be something as innocent as a local Web cache, exercise caution.

7.    Unfamiliar behavior

If an evil twin succeeds in directing Web requests to a spoofed site, it's up to you to authenticate that server. If you visit a familiar but unsecured site that looks slightly broken or behaves in an unusual way, it could just be undergoing maintenance or an update. Or it could be a hacked copy of the real site, for unsecured sites, there's no fool-proof way to be sure.

8.    Bad certs

Fortunately, secure Web servers can be authenticated by digital certificate. Your browser will even try to validate the server's certificate for you. But if a certificate warning appears, don't ignore it. Legitimate sites occasionally trigger these, but you could well have landed at a phony Web server designed to steal identities or spread malware. In particular, never blindly accept a self-signed certificate or a certificate issued by an untrusted authority.

9.    Phony servers

Of course, spoofing isn't limited to Web servers. Evil twins can use free tools like karmetasploit to redirect email and file and other apps to phony servers that record logins, passwords, and message content. Fortunately, many apps support server authentication – for example, sending POP and SMTP and FTP over TLS. To avoid falling for man-in-the-middle attacks, seize every opportunity to verify app server credentials.

10.  Out-of-service VPNs

Most man-in-the-middle attacks an evil twin might attempt can be defeated by sending all traffic – even public Internet traffic – over a VPN. If a hotspot lets you connect to the Internet but not to your VPN, you might be tempted to make do – but don't. While some real hotspots interfere with VPN protocols, this is a rare exception. It could be an evil twin using a phony IPsec VPN gateway to grab vulnerable IDs and shared secrets. For reliable protection against this attack, use an always-on VPN with strong mutual authentication.

Bottom line: 

You may never run into an evil twin, but just in case you do: SSL-protected apps and VPNs are excellent defenses, but they must still be used properly. Don't ignore warnings. And if a hotspot doesn't feel right, move on.