A funny thing happened to me on the way to the office this morning. I was sitting in a carriage on a District line train, trying to check Twitter, and when I tried to connect to one of Virgin Media’s public Wi-Fi hotspots I was instead bounced over to something called “PDM Wi-Fi”. Then a login screen appeared:
Now, Facebook doesn’t offer “free wifi [sic] with more than 50 Facebook Hospots in London ! [sic]”. I could also pick the hotspot up when the train was sitting in tunnel between stations, and none of London’s underground trains carry Wi-Fi hotspots. In short, it was a fake hotspot, masquerading as a legitimate one.
I didn’t put my Facebook username and password into it to see what would happen, as chances are it was a phishing scam from someone – possibly sitting near me in the same carriage at the time, such was the strength of the signal – looking to get my login details.
Whoever was behind it was broadcasting a bunch of other networks with dodgy names too (I didn’t screengrab, but they included things like “freeBTwifi”). Phishing attacks using public hotspots are no new thing – appearing in public spaces, airport terminals, stations, and so on for years – but this is the first time I’ve seen or heard of one on a moving train.
Why do it? Well, aside from the passwords, when you access the internet through a public hotspot, you’re giving whoever has access to that hotspot the ability to view what you’re doing, as long as you don’t encrypt your data. This is why tech people get annoyed at Yahoo for taking so long to turn on HTTPS encryption as default for its email service, several years after Google did the same. It’s an unnecessary vulnerability that could be exploited.
To keep yourself safe when using public internet hotspots, the first sign that something won’t be right is the type of connection. Ad-hoc networks are where two or more computers connect to each other (you can create one with any smartphone quite easily, if you need to share its web connection with a laptop, for example), and normally show up as different in any list of wireless networks you can connect to. My phisher had disguised his hotspot as a legitimate router, but someone else may not take that step.
There’s also the same sense of scepticism used for spam emails that can be used here. Look at that sign-in page above – something immediately feels wrong, doesn’t it? Quite aside from the grammatical mistakes and the off-centre words on the buttons, it should immediately be suspicious that a hotspot is asking for confidential information from a completely separate service, just as it would be suspicious for a bank to call you and ask for confidential information to prove your identity unprompted.
If you’ve paid attention to the news, as well, a lightbulb should go off as a) Virgin Media’s deal to provide Wi-Fi in Tube stations got a lot of press and cost a lot of money, whereas b) there’s been nothing about a similar deal struck by Facebook.
I’ve contacted TfL to see if they’ve noticed anyone trying to pull this trick before, and will update this piece when they respond.