Sitting in an airport you rarely frequent, you grab your laptop and snap out a couple e-mails to send, and look, there’s a free WiFi hotspot. Bang, you connect and send, and are off on your way. What you don’t know is the free WiFi may come with a price: your login credentials and network traffic being sniffed and captured before sending them along to the real WiFi hotspot, and your information stolen enroute, undetected.
The unsuspecting business traveler or coffee shop hounds will use WiFi wherever they find themselves. Usually the establishments they frequent will have a WiFi hotspot for customers. Airports often have free WiFi for travelers, supported by the business community who may have a splash page with ads when a user logs in, to offset the cost of providing the service. Usually these type services are clearly posted in some conspicuous location, which clear instructions for use. Many times (though not all), “official” hotspots will be secured using some kind of authentication, so you may have to enter a passphrase to login, which is a “good thing”, meaning the communication is more secure.
What raises the flag of awareness is when there is a hotspot with a name you don’t recognize, or that is very similar in SSID (name) to the official one, maybe one character off. Be especially aware of “unsecured” hotspots, ones where you don’t need to enter a password to gain access. Most of the time, scammers will create an unsecured WiFi hotspot for their shenanigans using common laptop hardware and a couple crafty applications, but it normally won’t require a passphrase, making it “easier” to use for unsuspecting travelers.
The magic happens through a proxy technology, which intercepts your WiFi communication, captures and stores a copy locally on the scammer’s laptop, then sends your information on to a “real” WiFi hotspot. This will slow down your traffic a little, but with congested networks, it’s hard to tell if your traffic’s being snooped, or just many users logging on at the same time to a “real” hotspot.
If you want to login to check bank balances, buy something for your wife or catch up on e-mail, your computer sends the login information across the network, this is the goldmine scammers look for. Normally, if you login to a bank website, you’ll see the bank address beginning with “https” rather than “http”, this means the traffic is encrypted, which is far better than unencrypted http traffic. But if scammers capture the encrypted credentials, they can still run a program later that will try many combinations in an attempt to decrypt your encrypted credentials. If they have the information, they have all the time in the world to work on decrypting it, so you may notice fraudulent account activity days or weeks later, long after you’ve left the coffee shop or airport. If the login information you send is unencrypted to begin with, like typing username/password on a normal “http” site, it makes the task all that much easier. Remember, scammers are lazy, and will try for the lowest hanging fruit first. It’s the old analogy that thieves want to steal A car, not necessarily YOUR car, so they’ll steal the easiest one they can get, that looks like it’ll generate the most profit for them.
Sometimes you have to do banking and other more secure transactions on the road. If you can manage to wait until you can get to a network you know and trust (like home/work), you can have a little more peace of mind. If, however, you’re a road warrior or just need your morning latte, spend an extra couple seconds verifying that you’re logging in to the network you are expecting to, not a fake.
ESET Research Systems Manager