Phishing at the confluence of digital identity and Wi-Fi access

When we think of phishing, most of us imagine a conventional phishing attack that begins with a legitimate-looking email. It might appear to come from an e-commerce site with which you happen to do business. “We’ve lost your credit card number. Please follow the link to re-enter it,” the email says. But the link leads to a malicious site where you enter your credit card number, press submit, and you have just been phished by hoody-clad hackers.

Even more likely in modern phishing attacks, the email may trick you into giving up your digital identity—for example your Gmail account. Many legitimate sites give you the option to log in using social login. What’s to stop a criminal site from asking for your credentials in the same way? The answer: nothing. (Best to be sure that you only use social login on sites that you’re sure you can trust.)

Not every phishing attack starts with a spam email, though. Wi-Fi phishing is analogous to conventional phishing, and the stakes are just as high—or even higher. To understand how this works, let’s begin at the beginning.

Rogue access points and evil twins

A rogue access point is an AP that someone has installed on the network without the approval of IT. It could represent something innocently misguided, like a user trying to extend Wi-Fi range. (Users should contact IT teams for that.) Or a rogue AP could be set up with malicious intent.

An “evil twin” access point is a special variety of rogue access point that attackers can use for nefarious purposes. Every evil twin is a rogue, but not every rogue is an evil twin. The evil twin impersonates a legitimate access point and helps attackers compromise your network. As with many cyber-attacks, user behavior makes this possible.

Attackers can force users off the access point and trick them into associating with the evil twin. This is how a Wi-Fi phishing attack starts. The evil twin can ask them to enter the pre-shared key into a fake login portal. To be clear, the user enters the actual credential into a fake portal. This does not seem unusual to users, because they have probably experienced having to re-enter credentials for network access before. In this scenario, doing so means handing over the Wi-Fi password or user credentials to the attacker, who can then use it to gain access to your network.

Where Wi-Fi phishing meets digital identity

Attackers can easily use the same technique to compromise digital identity within any IT environment. Suppose that the attacker asks your end users to enter their enterprise single sign-on credentials to regain access to the network. As an IT professional, you probably wouldn’t fall for that, but some of your users might. The more users you have, the more likely someone will fall victim.

Once the user has handed over his or her credentials, a world of opportunities opens for the hackers. Organizations typically leverage cloud-based file synch and share services. Customer relationship management (CRM) systems live in the cloud. Enterprise SSO platforms allow users—or hackers that have compromised their credentials—to access both. So, what began with a Wi-Fi hack can easily end in a massive data breach.

This scenario can play out even with a garden-variety rogue that is not an evil twin. The AP doesn’t have to be impersonating a legitimate access point to get a user to compromise his or her digital identity. Have you ever wondered whether Wi-Fi sources in public locations are legitimate?  Attackers can compromise digital identities when they target unsuspecting users. The same thing can happen in an enterprise environment when users connect to a malicious rogue AP, only the identity compromised might imperil your confidential data.

How can you combat Wi-Fi phishing, evil twins and other rogue APs?

Fortunately, you can take steps to protect your users and data from these scenarios. Your first line of defense against rogue access points is the wireless intrusion detection and prevention capability provided as part of your wireless LAN.

You can also take steps to avoid SSID proliferation, which will make it easier to spot rogues in your environment. Many IT environments become cluttered with SSIDs as IT teams use this as a mechanism to provide differential levels of access to different users and groups of users. Best practice: don’t do this. Employ a system for centrally defining and managing policies for network access.

By taking steps to make sure that users can authenticate reliably and seamlessly to a legitimate source of connectivity, you can also make it less likely that they will seek out a malicious access point, should one be within range. Digital certificates as the basis for network authentication can help here. A certificate on the device can also protect against devices connecting to evil twin APs, should a sophisticated attacker try and spoof a legitimate AP. Ruckus Cloudpath Enrollment System is a great way to roll out digital certificates for your users. It also addresses the security shortcomings of default methods of authentication that you may be using now.  

If there is no PSK to divulge, there is also no risk that your users will divulge it. A secure onboarding and authentication approach based upon digital certificates obviates the need for conventional PSKs as a mechanism for network access. You can also use dynamic pre-shared keys, which are unique to each user, for guest access. Guests typically get internet access only, with no access to sensitive internal resources.

Last, but not least, user education is always a key to avoiding any kind of attack on your network, users and data. Take measures to educate stakeholders to be careful about what Wi-Fi sources they connect to and what information they enter when they do.