Man charged over creation of ‘evil twin’ free WiFi networks to access personal data
Editor’s note: Footage of the man’s arrest and on camera grabs by AFP Det-Insp Coleman available via Hightail
The AFP has charged a West Australian man who allegedly established fake free WiFi access points, which mimicked legitimate networks, to capture personal data from unsuspecting victims who mistakenly connected to them.
The man, 42, is expected to appear in Perth Magistrates Court today (28 June, 2024) to face nine charges for alleged cybercrime offences.
Analysis by the AFP’s Western Command Cybercrime Operations Team of data and devices seized from the man has allegedly identified dozens of personal credentials belonging to other people as well as fraudulent WiFi pages.
Police charged the man last month (May, 2024) after launching an investigation in April, 2024, when an airline reported concerns about a suspicious WiFi network identified by its employees during a domestic flight.
AFP investigators searched the man’s baggage when he returned to Perth Airport on a flight from interstate on 19 April, 2024 and seized a portable wireless access device, a laptop and a mobile phone from his hand luggage. They also searched his Palmyra home.
After an initial examination of the seized devices, the AFP executed another search warrant at the man’s home on 8 May, 2024, which resulted in his arrest and charges.
Police will allege the man used a portable wireless access device to create ‘evil twin’ free WiFi networks, which he used at multiple locations to lure unsuspecting users into believing they were legitimate services.
The AFP alleges that when people tried to connect their devices to the free WiFi networks, they were taken to a fake webpage requiring them to sign in using their email or social media logins. Those details were then allegedly saved to the man’s devices.
The email and password details harvested could be used to access more personal information, including a victim’s online communications, stored images and videos or bank details.
AFP cybercrime investigators have allegedly identified data relating to the use of the fraudulent WiFi pages at airports in Perth, Melbourne and Adelaide, on domestic flights and at locations linked to the man’s previous employment.
The analysis is ongoing to determine the extent of the alleged offending.
AFP Western Command Cybercrime Detective Inspector Andrea Coleman said the case was a timely warning to be cautious about logging on to any public WiFi networks.
“To connect to a free WiFi network, you shouldn’t have to enter any personal details– such as logging in through an email or social media account,” she said.
“If you do want to use public WiFi hotspots, install a reputable virtual private network (VPN) on your devices to encrypt and secure your data when using the internet.
“When using a public network, disable file sharing, don’t do anything sensitive - such as banking -while connected to it and once you finish using it, change your device settings to ‘forget network’.
“We also recommend turning off the WiFi on your phone or other electronic devices before going out in public, to prevent your device from automatically connecting to a hotspot.”
Det-Insp. Coleman encouraged people to increase their online security by replacing passwords with passphrases, never using the same passphrase for multiple accounts, using an online password manager and installing all software updates.
Anyone who connected to free WiFi networks in airport precincts and on domestic flights is recommended to change their passwords and report any suspicious activity on their accounts to Report Cyber.
The man has been charged with:
- Three counts of unauthorised impairment of electronic communication, contrary to section 477.3 of the Criminal Code Act 1995 (Cth). The maximum penalty for this offence is 10 years’ imprisonment;
- Three counts of possession or control of data with the intent to commit a serious offence, contrary to section 478.3 of the Criminal Code Act 1995 (Cth). The maximum penalty for this offence is three years’ imprisonment;
- One count of unauthorised access or modification of restricted data, contrary to section 478.1 of the Criminal Code Act 1995 (Cth). The maximum penalty for this offence is two years’ imprisonment.
- One count of dishonestly obtain or deal in personal financial information (being usernames and passwords) contrary to section 480.4 of the Criminal Code Act 1995 (Cth); The maximum penalty for this offence is five years’ imprisonment; and
- One count of possession of identification information with the intention of committing, or facilitating the commission of, conduct that constitutes the dealing offence, contrary to section 372.2 of the Criminal Code Act 1995 (Cth). The maximum penalty for this offence is three years’ imprisonment.r.
Anyone who believes they are a victim of cybercrime, should report it to police using Report Cyber.
If there is an immediate threat to life or risk of harm, call 000.
If you are concerned that your identity has been compromised, contact the national identity and cyber support service IDCARE.
Further advice about connecting to public WiFi and hotspots is available on the Australian Cyber Security Centre website.