The Australian Federal Police (AFP) has charged a West Australian man for allegedly creating fake free Wi-Fi access points on multiple domestic flights to steal user data and social media credentials from unsuspecting users through a captive portal web page.
The unnamed 42-year-old is facing nine cybercrime charges related to an “Evil Twin” Wi-Fi attack scam and was to appear in Perth Magistrates Court on June 28, 2024.
The police in Australia initiated the investigation following a report from an airline employee who identified a suspicious Wi-Fi network during a domestic flight in April 2024.
This led to the suspect’s baggage search when he returned to Perth Airport on a domestic flight on 19 April 2024, which resulted in the seizure of a portable wireless access device, a laptop, and a mobile phone from his luggage.
After an initial analysis of the seized devices, the AFP executed another search warrant at his Palmyra residence on May 8, 2024, which resulted in his arrest and charges.
For those unaware, an “evil twin” attack is a cyberattack that works by tricking users into connecting to a fake Wi-Fi access point that uses the identical SSID (Wi-Fi network name) and mimics a legitimate or expected network in a specific area.
The individual is said to have set up “Evil Twin” Wi-Fi networks across various locations, including domestic flights and airports in Perth, Melbourne, and Adelaide, and other places related to the man’s “previous employment” to lure unsuspecting users into believing they were legitimate services.
“The AFP alleges that when people tried to connect their devices to the free WiFi networks, they were taken to a fake webpage requiring them to sign in using their email or social media logins. Those details were then allegedly saved to the man’s devices,” the AFP said in a press release last week.
“The email and password details harvested could be used to access more personal information, including a victim’s online communications, stored images and videos or bank details.”
The AFP is yet to determine the full extent of the alleged offending, as well as the man’s post-exploitation activity.
The accused has been charged with three counts of unauthorized impairment of electronic communication, three counts of possession or control of data with the intent to commit a serious offense, one count of unauthorized access or modification of restricted data, one count of dishonestly obtain or deal in personal financial information, and one count of possession of identification information with the intention of committing, or facilitating the commission of, conduct that constitutes the dealing offense.
If the man is convicted on all the above charges, he could face up to a maximum penalty of 23 years in prison.
“To connect to a free Wi-Fi network, you shouldn’t have to enter any personal details — such as logging in through an email or social media account. If you do want to use public Wi-Fi hotspots, install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet,” said Andrea Coleman, AFP Western Command Cybercrime Detective Inspector.
“When using a public network, disable file sharing, don’t do anything sensitive – such as banking -while connected to it and once you finish using it, change your device settings to ‘forget network’. We also recommend turning off the WiFi on your phone or other electronic devices before going out in public, to prevent your device from automatically connecting to a hotspot.”
