A Latte, “Free Wi-Fi,” and a Hijacked Social Media Account

---

Case Summary

• Setting: A neighborhood café, where a public Wi-Fi network labeled “Café_Free_WiFi” was available.
• Affected User: A professional checking messages before a meeting.
• Incident: A convincing “login to continue” page captured the affected user’s social media credentials on a public Wi-Fi.  A cyber-attacker then accessed the account, began posting scams, and sent a threatening direct message to one of the user’s coworkers.
• Result: The coworker reported the threatening messages to their supervisor with screenshots, prompting involvement from Human Resources and law enforcement.

Cause Analysis

1. Look-alike Wi-Fi: The attacker ran a hotspot with an unsuspecting name, which the user mistakenly joined instead of signing onto the café’s network.
2. Portal Phishing: The attacker’s splash page mimicked a social media platform’s login portal, capturing the user’s credentials as they typed.
3. Lack of Two-Factor Authentication: Without the deterrence of Two-Factor Authentication, the attacker was able to immediately access the user’s accounts from a separate device with the stolen password.

Expert Analysis

• Social Media Platform Session Logs: The account’s recent logins and session history were exported—including IP addresses, device types, and operating systems.  This documented a successful login at 8:14 AM from a device that did not belong to the user while they were still at the café.
• IP & Device Corroboration: The suspicious login originated from an IP block that was consistent with a portable hotspot operating near the café.  The logs showed that a Windows laptop was utilized to sign in, while the user normally accessed the application via the iPhone app.
• Event Correlation: The attacker’s login at 8:14 AM preceded the first unauthorized DM/post at 8:19 AM and the threatening messages sent at 8:26 AM.  This sequence tightly matched a capture of the user’s credentials followed by immediate misuse.
• Session Review: Logs showed concurrent sessions from different device types and locations, inconsistent with a single user.

Outcome

A Digital Forensic Analyst at DJS Associates, Inc. demonstrated that the threatening messages and scam posts were generated from a device and IP address that did not belong to the user.  In collaboration with counsel and appropriate channels, the device, IP address, user-agent artifacts, and security camera footage were used to identify a person of interest who was present in the café environment during the incident window.

Stay Safe this Cyber Security Awareness Month

October is Cyber Security Awareness Month—a good time to reinforce safe online habits and put protective measures into practice.  Following these recommendations will help strengthen your digital defenses:

1. Use cellular data or your own hotspot over public Wi-Fi.
2. Ask staff to verify the exact name of complimentary Wi-Fi networks and beware of look-alike SSIDs.
3. Treat pop-up login pages with suspicion; manually type site addresses into your browser.
4. Turn on multi-factor authentication (MFA) everywhere: authenticator app, security key, or passkeys.
5. Use a password manager and keep every password unique.
6. Disable “auto-join” for open/public networks.
7. Consider using a reputable VPN when joining untrusted Wi-Fi (helps with snooping, not phishing).
8. Keep devices and apps updated.
9. Review “Logged-in devices” and “Connected apps” regularly.
10. Set up account recovery measures (i.e., back-up codes, a verified email address or phone number, or security questions) before you find yourself in need of them.