AirDefense Discovers New Version Of "Evil Twin" Attack At Interop 2005
Atlanta -- Wireless network security and monitoring company AirDefense today announced a mutated, malicious version of the "Evil Twin" attack was discovered last week while monitoring the airwaves of Interop 2005 in Las Vegas.
This newest Wi-Fi phishing attack is a more sophisticated version of an "Evil Twin" attack that propagated over the Internet in January. "Evil Twin," also known as access point (AP) phishing, is a technique whereby an attacker tricks victims into connecting to a laptop or PDA by posing as a legitimate hotspot. Once the user is connected, the user is coerced into downloading a series of custom written Trojans and viruses.
As an example of this attack, AirDefense identified people spoofing "free_extreme," the free wireless access sponsored by Extreme Networks. Once unsuspecting attendees made a wireless connection, they received a false page with a mouse-activated web overlay. Any click of the attendees' mouse would trigger a downloading of viruses, regardless of where the attendees clicked on the Web page.
Richard Rushing, chief security officer for AirDefense, suspects the custom scripts were launched with a distinct purpose in mind. "Attackers are most interested in stealing user IDs and passwords to gain access to corporate networks," said Rushing.
Similar to email phishing or pharming, AP phishing is the manipulation of a wireless user. By presenting the user with a familiar scenario such as a login page to a hotspot, the user will readily provide his or her user ID and password. The attacker will then have the ability to exploit vulnerabilities or even add Trojans or viruses to the laptop, often without the user's knowledge.
AirDefense monitored the wireless traffic at Interop 2005 from the AirDefense booth, on the show floor, and at a mobile location inside the convention hall where people congregated at lunch, and before and after the keynotes. AirDefense tracked an overall increase in wireless usage from previous Interops, which coincided with an increase in wireless risks and attacks including:
- 1,318 stations were probing for networks that were not represented at the show
- 320 cases of MAC spoofing likely used for malicious activity
- 172 scanning devices including Netstumbler and probing stations
- 63 Denial of Service attacks
- 44 authentication errors
- 37 brute force attacks
- 25 "Evil Twin" attacks
- 16 AP phishing attemps
"Wireless has become pervasive and people were eager to get online during breaks in the conference," said Rushing. "However, users continue to neglect securing their devices and do not detect phishing scams or rogues connecting to them. These under the radar attacks are similar to the types of attacks occurring regularly on the enterprise level in government, healthcare, financial services and many other industries."
AirDefense recommends conference attendees register for hotspot use on a secure wired connection prior to using wireless. AirDefense also recommends attendees read all pop up windows in their entirety.
Source: AirDefense