Win a holiday

Enter our Snapshots of Summer photography competition

Navigation - link to other main sections from here

Skip Navigation

From Times Online
May 4, 2007

Hackers target wi-fi hotspots in new phishing attack

Starbucks has been targeted by hackers using 'evil twin' wi-fi networks

Starbucks is among the targets of the phishing scam

Jonathan Richards

Computer users have been warned of the dangers of using wi-fi hotspots after it emerged that cyber-criminals are targeting the networks in café chains including Starbucks.

Times Online has uncovered evidence that criminals are using a technique known as an 'evil twin attack', where victims think that they are logging on to the genuine network in a café but are in fact being diverted to a 'rogue' connection.

Once logged on to the twin network, the victim's every keystroke is captured by the fraudster, who controls the connection from a nearby laptop and uses it to extract information for the purpose of committing identity fraud.

In a chatroom used to discuss the technique, also known as a 'man in the middle' attack, Times Online saw information changing hands about how security at wi-fi hotspots – of which there are now more than 10,000 in the UK – can be bypassed.

Related Links

During one exchange in a forum entitled 'T-Mobile or Starbucks hotspot', a user named aarona567 asks: "will a man in the middle type attack prove effective? Any input/suggestions greatly appreciated?"

"It's easy," a poster called 'itseme' replies, before giving details about how the fake network should be set up. "Works very well," he continues. "The only problem is,that its very slow ~3-4 Kb/s...."

Another participant, called 'baalpeteor', says: "I am now able to tunnel my way around public hotspot logins...It works GREAT. The dns method now seems to work pass starbucks login."

From the language used, the criminals appear to be US-based, though at one point one says: "i doubt that the architecture of the tmobile hotspot networks in europe varies from the technologies deployed here in the US."

T-Mobile, which runs a network of 2,000 hotspots, including those in Starbucks cafés, said it was aware of the technique, but was yet to have any incident reported in the UK. It advised customers to update their virus protection software and "ensure they were connected to a valid, certified website."

Security experts said, however, that safeguards such as digital certificates could not always guarantee protection, and that users would continue to be fooled by imitation sites, which were increasingly sophisticated.

"This is the most pressing current security threat that remains to be addressed," Paul Cronin, technical director at Pentura, which test wireless security, said. "People are spending all this money on firewalls and yet their machines with wireless cards immediately go searching for the nearest network."

"It's shocking how easy it is to set up a 'soft access point' and get devices to connect to it," he added

A police source said that evil twin attacks were 'not uncommon', but that they mostly went undiscovered. The problem was being "talked about", according to a spokeswoman for the Metropolitan Police, but she said there had been no reports of any crimes yet.

In a speech about wireless security last week, Phil Cracknell, a technology officer at Deloitte's, said: "This type of attack where the operator sits around and harvests details while you are connected to the hotspot is destined to become the new type of phishing.

"All you need to clone the Starbucks hotspot is a laptop, and the software can be configured within two hours," Mr Cracknell told an audience at InfoSec, in London.

Paul Vlissidis, technical director at NCC, another security firm, said: "It's a more costly scam to run, but we'll certainly see it happen as the number of wireless networks continues to grow."

There are now more than 10,000 hotspots across the UK, and blanket wi-fi coverage is now offered in large portions of Manchester, Edinburgh and, as of last week, the City of London.

Its interesting how the author who may not have a technical understanding will write such an article. The title of the article is about hackers targeting wi-fi hotspots using phishing attacks yet he quotes from a chat room:

"I am now able to tunnel my way around public hotspot logins...It works GREAT. The dns method now seems to work pass starbucks login."

The conversation the people in this particular chat room are not discussing phishing nor attempting to hack those using a starbucks network. Mr. Richards, please exercise due diligence and due care when attempting to write an article about such topics. It is a shame that you attempt to indulge your audience by padding it with technical excerpts that have no bearing on the title of your article. If you dont know, ask.

Me, honolulu, Hawaii

It is about time that unauthorised hacking like this is dealt with more aggressively by the local Police as it is fraud and an infringment of the Data Protection Act. We need more aggressive International law and co-operation plus the hackers named and shamed.

Website Search Engines also need to have buillt in protection and to be made more accountable.
Sadly the net is now used too much as a Marketing tool and we are also seeing too much Junk coming though our emails.

Paul Joslyn, maidstone, kent

I suppose this means one needs to take care accessing bank accounts or using credit cards through wireless networks. In particular one should not run any programs purporting to be necessary for connecting to the network.
It may, however, be quite hard for a hacker to use information being sent from a PC in encrypted format. My guess is that they are just getting hold of passwords and user names.

Jonathan Lowenstein, Tel-Aviv, Israel

The author of this article is a bit confused. The quote about tunnelling past the login is a different hack. It would be used to get free wifi without paying for a cup of coffee (or whatever the public hotspots eg. OpenZone; charge).

Keylogging won't be the method of attack here either as the "hacker" isn't putting anything on your laptop, they are merely intercepting every packet that you send. As such if you are connected to a website via SSL (ie. using HTTPS) then your communication is encrypted.

A more likely exploit would be the hacker creating a fake banking page running on a webserver on his laptop and phishing your details off that way.

This would be effective but it really does make phishing live up to it's name. The user would have to request the pages that the hacker has created. Sure they could mock up several of the major banking sites and hotmail, gmail etc.

Damian, London, UK

It's as much as a myth as is your front door keeping your house secure.

Simon, Stockport, UK

T-Mobile's advice will do very very little.

The exploit doesn't apparently involve the use of conventional malware. All the crackers are doing is setting up WiFi networks with similar or misleading SSID's which users are connecting to.

The rest is probably done with a packet sniffer. Nothing the end user can do about it except ensure they're connected to the genuine in-store WiFi network.


They could use a keylogger if they really need to but the main body of the hack can't be protected against by a layman. Virus Protection software and Firewalls will only prevent the execution of malware on your computer or access to it via unprotected ports.

It's a bit like using a fake bus to pick people up at a bus stop and kidnapping them.


John Swaine, Colchester, UK

As one who has been in IT since 1961, it just shows what I have always thought.
IT Security is a myth. always has been!

mikeo, Harlech, Gwynedd, Wales

Have your say

* Required

Print
Email
Bookmark and Share

Also in The Web

Also in Tech & Web

Tech Central

Latest posts on the blog

TECH CENTRAL

The best games and gadgets from E3 2009

Tech Central

Apple iPhone, 2009 model

Our verdict on the new iPhone 3G S

video: lunar gadgets

Edwin ’Buzz’ Aldrin photographed by Neil Armstrong

Gadgets on the moon

Can you guess what these objects were used for?

Portable consoles

Blaze Sega Mega Drive

Games on the move

The best handheld consoles rated and reviewed

Twitter

Twitter logo

Follow Tech & Web

Gadgets and Games

Cloudy With a Chance of Meatballs, the game

Game trailer: Cloudy With a Chance of Meatballs

Best of Google Streetview

Banksy’s artwork captured on the side of a building situated in London’s West End on Google Streetview

Weird and wonderful images from Google Street View

Slide Show

WEB HEADLINES

ATD logo

Articles from our sister site:

Most Read

Skip Most Read

Today

MOST COMMENTED

Skip Editor's Pick

Today

MOST CURIOUS

Skip Most Curious

Today

Focus Zone

Angel of the north

Northern Lights:

Win a luxury weekend to Newcastle and its neighbour Gateshead, find out more here

BT

Business Solutions:

Risk, resilience and embracing new technology

accenture

Need to Know:

Industry sectors news at a glance. Interactive heatmap, video and podcast

Cisco

Business Wisdom:

Discover the collective power of smart thinking. Submit a solution and be in with a chance to win a Flip MinoHD Camcorder

Social Entrepreneur

Social Entrepreneurs:

The inside track on current trends in the charity, not for profit and social enterprise sectors

ba business travel clouds

Business Travel:

Everything the Business Traveller needs to know to make a better trip

rowing boats

Great British Summer :

Make the most of the summer and enter our fabulous photographic competition, you could win a £5000 holiday

Corsica

Corsica Travel:

Corsica is an island of beauty and contrast, an ideal holiday destination

More Reports

More reports:

Enjoy further reading from Travel to Fashion, Business to Sport, discover more

previous next
Man with Confidential Papers

Ad Feature

Business Security

Get adequate protection

Times Mobile

Times Mobile

Get Times news, business and sport on your mobile. Text Times to 66644

Laptop computer showig a picture of a telephone on screen

Simplify Digital

Save a bundle

Deals on digital TV, broadband & phone

accenture

Need to Know

Industry Sectors news at a glance

The Times Enounters

Encounters Dating

We'd love to find you someone special

Sudoku

Online Sudoku with daily prizes

small business

Ad feature

Business Survey

Share your views

Popular Searches on Times Online

books | chess | crossword | fashion | football | formula 1 | Michael Jackson | need to know | obituaries | recipes | redundancy calculator | rich list | savings | science | sudoku | swine flu | twitter | university guide | wine | travel deals

Shortcuts to help you find sections and articles

Classifieds 

Cars

Skip Cars of the Week

Car leasing

The clever way to lease a new car is with Car leasing made simple™


Jobs

Skip Jobs of the Week
Operational Officers

Not Specified
MI6
UK-based

Finance & Corporate Services Manager

£60,000
The Environment Agency
Bristol

Programme Manager

Up to £90K
Boots
Midlands

Sales Professionals

OTE £85k
Credit Protection Association
Nationwide Opportunities

Properties

Rushmore Condo's

Luxury Condo's in Manhattan with NYC views

Diadem Homes

The best new homes in Wimbledon?

Holidays

Skip Travel of the Week

Seychelles Beach Beauty

Save up to £1,000 per couple with Elite Vacations at the five-star Constance Lemuria Resort


Leave the queues behind at the airport

and do the British Isles this Summer.
Save up to 60% with Oxford Hotels and Inns

Bored of life?

Try our inspiring luxury holidays to the Indian Subcontinent and South East Asia.
Great offers available

Canada for Less.. fly from £129 one way inc taxes

8 fabulous Canadian cities ...you won’t find cheaper


Place your advert now