What is an Evil Twin Attack?
An evil twin attack involves an attacker setting up a fraudulent wireless access point – also known as an evil twin – that mimics the characteristics (including the SSID) of a legitimate AP. This attack has existed about as long as wifi has. Users may connect automatically to the evil twin or do so thinking the fraudulent AP is part of a trusted wifi network. Attackers can expedite this process by affecting the connection to the legitimate AP their device is mimicking. Once users have connected to an evil twin, they may be asked to enter a username/password to gain access via a fraudulent form which goes to the attacker. Or the attacker can simply eavesdrop and intercept any unsecured information users transmit – all without their knowledge.
How to Recognize This Threat: Not easily…You will be able to get online and the network listed will appear to be legitimate (though do look for and avoid any network names that are slightly off).
How to Prevent This Threat: Some would suggest not using any public wifi networks, but if that is impractical, VPN can provide an extra layer of security when accessing these networks. Also be aware of the procedures required to connect to any public network (whether they require authentication) and avoid transmitting any sensitive information when using these connections. As a network administrator, ensure you have strong security mechanisms in place, including authentication for users to access your network, endpoint protection (for both network and public users), and secure wifi. A Wireless Intrusion Prevention System (WIPS) such as the one offered through WatchGuard wireless access points can detect evil twins and even stop any managed clients from connecting to them.