EITS Tech Tips & Tech News

Fake Wi-Fi HotSpots: A Criminal's Tool to Steal from You

Written by Kevin Gray | May 19, 2015 6:36:00 PM

 

No matter where you go, the ubiquity of free Wi-Fi hotspots is evident in nearly every public space. Work, recreation, and socialization are all just a few keystrokes away from your local coffee shop, bookstore, or airport. Unfortunately, the same free Wi-Fi that 

attracts you, also attracts hackers who want your data. How do they get it? By pretending to be the free Internet connection you're looking for.

 

What is a Fake Wi-Fi HotSpot?

Fake Wi-Fi hotspots are often called honeypots because they lure their targets in with something irresistible: free Wi-Fi. Hackers deploy honeypots in areas rich with high value targets where they don't have access to their normal, secure networks. Think financial and business districts, outside military and research facilities, airports,  hotels, conferences and conventions. The hacker makes his access point look like any other free Wi-Fi hotspot. He might even construct it to look like a hotspot his target has used in the past, say the local coffee shop's Wi-Fi. 

 

When an unknowing victim hops onto a honeypot, he can load all of the websites he or she normally visits on his laptop or tablet, and he may assume his traffic is encrypted because there's little padlock on his web browser. What he doesn't know is that the hackers who set up the honeypot are spoofing his web traffic to appear as the sites he intended to visit. Regardless of where he goes online, they'll be there every step of the way.   How a Fake Wi-Fi Hotspot Can Hurt You and Your Company

 

First, the hackers will likely steal the target's usernames, passwords, as well as any relevant browsing history. They can do this just by reading his unencrypted traffic, but this also can occur on an innocent, unencrypted hotspot as well. They can do much more damage with a "man-in-the-middle" attack. These attacks work by convincing the target and a friendly site that they are talking to one another, a customer and a bank, for instance. In reality, the hacker is stealing data from both, and he could even alter that data as he passes it to its intended receiver. 

 

Second, the hackers will be able to read and download all of the files on the target's computer, including projects from work, along with any personal photos or videos from home. 

 

Thirdly, they might redirect the target to a malware site so his computer can be accessed again through any network. From there, further phishing, the stealing of sensitive data, will continue, and in some cases his computer might be remotely hijacked for use in hacking attempts against other computers and networks.  

 

See also: Website Security Tips for Business Owners

 

How to Avoid Fake Wi-Fi Hotspots

While fake hotspots can be difficult to detect, there are several things you can do to minimize your risks when mobile browsing.

 

First, assume all public networks are non-secure. Surfing the web in a coffee shop is like surfing the ocean. Sharks swim under the surface. Even access points that prompt you for credentials might be compromised.

 

Second, make sure your computer security software is up to date, your firewall is on, and you've disabled file sharing. Make sure none of your devices auto-join networks, too.

 

Thirdly, verify with the Wi-Fi provider the name of the hotspot. Don't just assume a network called "Coffee Shop Free Wireless" belongs to the coffee shop you're in, go ask.

 

Fourth, use common sense. If your computer behaves strangely, if you're suddenly disconnected from the website you were browsing, if you're redirected to another website, or if your computer disables its protections, you might be in trouble. Disconnect from the network and contact your company's information security specialist.