New Version of ”Evil Twin” Attack at Interop 2005

AirDefense, the leader in anywhere, anytime wireless network security and monitoring today announced a mutated, malicious version of the “Evil Twin” attack was discovered last week while monitoring the airwaves of Interop 2005 in Las Vegas.

This newest Wi-Fi phishing attack is a more sophisticated version of an “Evil Twin” attack that propagated over the Internet in January. “Evil Twin”, also known as access point (AP) phishing, is a technique whereby an attacker tricks victims into connecting to a laptop or PDA by posing as a legitimate hotspot. Once the user is connected, the user is coerced into downloading a series of custom written Trojans and viruses.

As an example of this attack, AirDefense identified people spoofing “free_extreme,” the free wireless access sponsored by Extreme Networks. Once unsuspecting attendees made a wireless connection, they received a false page with a mouse-activated web overlay. Any click of the attendees’ mouse would trigger a downloading of viruses, regardless of where the attendees clicked on the Web page.

Richard Rushing, chief security officer for AirDefense, suspects the custom scripts were launched with a distinct purpose in mind. “Attackers are most interested in stealing user IDs and passwords to gain access to corporate networks,” said Rushing.

Similar to email phishing or pharming, AP phishing is the manipulation of a wireless user. By presenting the user with a familiar scenario such as a login page to a hotspot, the user will readily provide his or her user ID and password. The attacker will then have the ability to exploit vulnerabilities or even add Trojans or viruses to the laptop, often without the user’s knowledge.

AirDefense monitored the wireless traffic at Interop 2005 from the AirDefense booth, on the show floor, and at a mobile location inside the convention hall where people congregated at lunch, and before and after the keynotes. AirDefense tracked an overall increase in wireless usage from previous Interops, which coincided with an increase in wireless risks and attacks including:

— 1,318 stations were probing for networks that were not represented at the show

— 320 cases of MAC spoofing likely used for malicious activity

— 172 scanning devices including Netstumbler and probing stations

— 63 Denial of Service attacks

— 44 authentication errors

— 37 brute force attacks

— 25 “Evil Twin” attacks

— 16 AP phishing attempts

“Wireless has become pervasive and people were eager to get online during breaks in the conference,” said Rushing. “However, users continue to neglect securing their devices and do not detect phishing scams or rogues connecting to them. These under the radar attacks are similar to the types of attacks occurring regularly on the enterprise level in government, healthcare, financial services and many other industries.”

AirDefense recommends conference attendees register for hotspot use on a secure wired connection prior to using wireless. AirDefense also recommends attendees read all pop up windows in their entirety. AirDefense has made a free version of AirDefense Personal available to all wireless users for their laptops. AirDefense Personal will monitor for a variety of wireless risks, including Wi-Fi phishing and “Evil Twin” attacks.

People can download AirDefense Personal HERE.

About AirDefense, Inc.

AirDefense is the market leader in wireless network security and monitoring. The company provides the most advanced solutions for rogue wireless detection, policy enforcement and intrusion prevention both inside and outside an organization’s four walls. AirDefense’s enterprise-class products are the most comprehensive, integrated wireless security solution available, scaling to support single offices to organizations with hundreds of locations. Founded in 2001, AirDefense is based in Alpharetta, GA and services hundreds of government agencies and blue chip corporations.

For more information, please visit HERE or call 770.663.8115.

Heidi Litner, 770-663-8115 x 110 or Bill Keeler/Liz Serotte, 781-684-0770