Australian Man Uses “Evil Twin” Wi-Fi on Flights To Hack Email Accounts

An Australian hacker making use of a Wi-Fi “pineapple” has been arrested for hacking into the email accounts of other passengers while taking a domestic flight, something he had apparently been getting away with elsewhere for some time.

The device was configured to probe for incoming Wi-Fi connection requests and create a clone network for victims to connect to. This fake lookalike network, in this case resembling the legitimate airplane Wi-Fi, would ask victims to use an email account or social media account to log on and then capture credentials. A follow-up investigation found the man in possession of thousands of intimate images and videos stolen from others in apparent prior attacks.

Palmyra man sentenced to seven years for Wi-Fi interception

The man was arrested upon arrival at the Perth airport after airline employees reported seeing a suspicious Wi-Fi network during his flight. A search of his hand luggage turned up the pineapple, which was seized along with a laptop and mobile phone used in the scheme.

This provided the grounds for a search warrant executed on the man’s home in Palmyra, which turned up records of prior fake Wi-Fi login pages he had run at the airports in Perth, Melbourne and Adelaide as well as on domestic flights between them. The man was in possession of numerous login credentials as well as thousands of intimate images and videos apparently stolen from victims.

The man attempted to cover his tracks the day after the search warrant was issued by deleting over 1700 items from data storage, and also gained unauthorized access to his employer’s laptop to spy on conversations with the Australian Federal Police about the incident. He eventually pled guilty to about a dozen charges netting him a total sentence of seven years and four months, with eligibility for parole after five years.

Wi-Fi pineapples remain an “evil twin” threat

As this incident demonstrates, these “evil twin” interception threats continue to take in the general public despite heightened awareness of the risks of public Wi-Fi. In this case people were asked to input their actual email account or social media password to access the Wi-Fi, something that should raise an immediate red flag.

From the description, this particular “evil twin” attack actually appears to be among the less sophisticated that are encountered in the wild. It was essentially attempting to phish victims for login credentials upon connection; more subtle implementations of this attack will let a victim through freely and attempt to intercept traffic in the background instead.

The AFP advises use of a VPN with public Wi-Fi, and to have devices “forget” the network after disconnecting. Additionally, devices should not be set to automatically connect to public Wi-Fi networks as this is an element that these particular schemes prey upon. Modern devices and operating systems will also generally mark an “evil twin” connection as being unsecured, which can be a means of correctly choosing between two available options that have the same or similar names.