Published: July 25, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
WiFi has become a part of pretty much any device that has network access. From mobile phones and tablets to desktop computers and laptops. The time to plug in an Ethernet cable has long since passed. And while just a few years ago it was considered high risk to allow WiFi access in corporate offices, now it is just a standard part of doing business.
Unfortunately, when dealing with technology that everyone is using, cybercriminals are generally also going to get involved. And when it comes to WiFi, there are plenty of opportunities for cybercriminals to attack. Fortunately, most of this risk can be easily eliminated through awareness and proper security controls.
One of the most common forms of attack is the malicious WiFi access point. One of these devices can be setup in hotels, coffee shops, airports, near corporate offices and apartment complexes or anywhere a cybercriminal feels potential victims are likely to connect. The goal of the cybercriminal is to simply get unsuspecting victims to connect to these malicious devices when a user wants or needs WiFi access. For example, at a hotel the malicious WiFi access point might be setup near the pool and is offered for “free.” The WiFi broadcast name might be something like “Free Pool WiFi.” If you’re a guest at the hotel and see this device available, chances are that you will not hesitate to connect your mobile device or laptop.
Another way that criminals will get you to connect to their malicious WiFi access point is to simply imitate a legitimate access point. For example, if you’re at work, the access point name might be your corporate name. A cybercriminal can sit in a car or office near by and turn on a WiFi access point that has the same name. Now, when your mobile device or computer attempts to connect to the access point that it has connected to in the past, it might connect to the malicious access point instead of the real one. This is because many devices are designed to remember previous access points that they connect to. So if that device becomes available again, the device will connect automatically. Criminals can even go so far as to knock the legitimate access point offline making only their access point available in the area.
Assuming that your mobile device or computer has connected to one of these malicious access points, what can a cybercriminal do? First, once your device is connected to the WiFi access point, the cybercriminal has the ability to begin attacking that device directly. If the device were to have any vulnerabilities, including missing patches, the criminal has a direct connection to the device allowing for easy access to those vulnerabilities. With successful exploitation of the vulnerability, the criminal would then have computer control of that device without the user’s knowledge. In addition, even if the user disconnects from that WiFi access point, every time she connects back online from anywhere in the world, the criminal would have the ability to re-gain access going forward because the malware would already be installed.
Another risk is tied to privacy. While a victim is connected to the malicious access point, everything the user does online can be monitored by the cybercriminal. This risk has been reduced in recent years as more sites have installed SSL certificates. An SSL certificate allows the website to encrypt all of it’s traffic. So when you visit a website and the URL starts with HTTPS://, that indicates that everything you see and type on that website is secure and even if you were on a malicious WiFi access point, the criminal cannot actually see what you’re typing. It is important to note that while HTTPS does ensure that the data you are sending to the website is secure, HTTPS does not guarantee the website you are visiting is actually legitimate. What this means is that if you have typed in the correct URL and you see the HTTPS, then you should be safe. On the other hand, if you accidentally mistype the URL or are visiting a site that you are not familiar with, it could have HTTPS in the URL, but that does not guarantee the website itself is safe. Again, it only ensures that the connection you have to that website is secure and cannot be monitored by a criminal on the WiFi network.
Of course criminals don’t just simply give up. Instead the criminals will attempt to break the encryption between the victim and the website. By doing this it allows the criminal to then monitor everything the user types. Fortunately this type of attack is very easy to detect because you will receive a warning on your screen telling you that there is a security issue with the website. In many cases it will specifically say that there is an issue with the Security Certificate. If you see one of these warnings stop! Do not select to ignore the warning or continue to the website. If you do, then everything you see and type going forward can be monitored and recorded. If you see one of these warnings, it means something is wrong and until you can talk with tech support from either your company or the company that provides the website, never continue.
The last common form of attack with malicious WiFi access points is through what is known as a DNS attack. When your mobile device or computer connects to any WiFi access point, that access point will assign a DNS server to your device. A DNS server is a system that tells your computer how to get to another computer based on the domain name that you type into your computer. For example, if you open your web browser and type in www.sosdailynews.com, your computer has no idea what that actually means. Instead it will send that domain name to a DNS server and ask “how do I get to this address?” The DNS server will then respond with something like “188.8.131.52” which is an IP address for that particular website. Your computer understands the IP address and then makes the connection. Now, imagine if the cybercriminal has control over the DNS server that your computer is talking to. That would allow him to control where your computer actually connects. So for example, if you were to type in the URL to a bank or credit union, a malicious DNS server could give you an IP address that points to a criminal’s web server designed to look to like the real bank or credit union. So as far as you know, you have typed the correct URL and ended up at a website that looks like what you expected. Only now when you type in your login, password or other confidential information, it’s actually being sent to the malicious website without you having any idea.
Because detecting phony WiFi access points is difficult, the most likely time for you to detect a potential issue is when you browse to a secured site (any site that starts with https://). Be sure to always look to make sure that the website starts with HTTPS:///. Most people will simply type in www.whatever.com and assume it will add the HTTPS:// at the beginning. Always look to make sure it is there. If it is not, do not proceed. If you attempt to connect to a secured website and receive a message saying there is an issue or error with the security certificate, you should stop immediately. There is never a situation where a broken security certificate is normal and under no circumstance should you ever proceed. If you receive a warning, error message, or other notification that there is a problem, stop, pick up the phone, and contact your supervisor. If you are not at the office, but are at a public location, again stop. Remember that it does not matter where you are; a WiFi attack can happen at home, at work or at any public location.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org