ACG-CYBER SECURITY BULLETIN NR 392: The Invisible Threat: How Rogue Access Points Compromise Security

Posted on May 21, 2025

Reference Number ACG-CSB 051525392

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

A rogue scanner attack, also known as fake scanner, fake AV, or rogueware, is a type of cyberattack that uses social engineering to trick users into installing or purchasing malicious software. These attacks often display fake security scan results or threat notices, leading users to believe their systems are infected and need protection. By presenting alarming warnings and offering solutions, attackers manipulate users into installing or buying fake security software, often designed to further compromise the system.

A rogue access point is a wireless access point installed on a network’s infrastructure without the consent of the network’s owner. Rogue access points are used for various attacks, including denial of service, data theft, and other malware deployments. Rogue access points can create serious security holes in an enterprise network, leaving it vulnerable to attacks from outside. Attackers can use rogue access points for traffic sniffing and other purposes such as man-in-the-middle attacks. We can mitigate these threats by scanning nearby access points and marking unauthorized access points as rogue access points.

A mobile device could also act as such if configured to broadcast a wireless signal and grant access to the network. In addition, mobile devices such as smartphones or tablets can be set up to act as Wi-Fi hotspots or tethering devices, enabling other devices to connect to the internet through them. Unfortunately, if an unauthorized user sets up a rogue access point on their mobile device and connects it to a network without proper authorization, they could gain access to sensitive information or compromise security.

Once the clients are connected via the rogue AP, all data gets captured, including sensitive data of login credentials to Personal Identification Numbers (PIN) and confidential documents using packet sniffing tools. It exponentially raises the risk of data leaks if the correct security has not been applied to the access point. For instance, an attacker can place a rogue AP in the vicinity of an office of an organization and program it to emulate the legitimate network of the organization. Those employees who innocently connect to it may expose the sensitive data of the company inadvertently.

Rogue devices are just plain malicious by nature. They exist for the sole purpose of stealing sensitive information like credit card numbers, passwords, and more. They harm your network and, in the process, can harm your company’s reputation. In rare cases, rogue devices can even permanently damage systems, if there is no rogue device detection tool in your company.

Rogue devices can be wireless access points (sometimes referred to as rogue APs) or end-user computers (rogue peers). If left connected, either type of rogue device can pose a security threat. Rogue APs can be further classified into web robots (bots) and sniffers. Malicious bots can be used to send email spam or cause denial of service (DoS) on a network. It can also be formed into a collective of zombies and used to carry out even more powerful attacks. While, A sniffer is an eavesdropper that passively sits on the network and stealthily inspects traffic. Sniffers can be maliciously used for the reconnaissance of valuable data.

Active and passive interceptions in the context of a network rogue access point refer to two distinct methods for intercepting network traffic. Rogue access points are unauthorized wireless access points set up by malicious actors to eavesdrop on or manipulate network communications. Active interception involves the rogue access point actively engaging with network traffic, typically by pretending to be a legitimate access point or exploiting the trust of connected devices. While, Passive interception, on the other hand, does not actively interfere with network traffic but rather silently eavesdrops on it.

Rogue scanner attacks rely on psychological manipulation to trick users into installing malware disguised as security tools, while rogue access points physically imitate trusted networks to intercept sensitive data. Understanding these threats is essential for implementing effective defense strategies. By combining strong technical controls such as network monitoring and encryption with user education, organizations can significantly reduce their vulnerability to these deceptive and damaging cyberattacks.

RECOMMENDATION

The public is advised to follow these tips to avoid being a victim through Rogue Access Point attacks:

Regularly scan the wireless environment for unauthorized access points;
Implement Wireless Intrusion Detection Systems (WIDS);
Avoid default or weak passwords that could pose an easy target for breaches;
Maintain Regular Firmware Updates; and
Disabling the plug-and-play feature on network devices.

For additional information, please refer to the following websites:

https://www.linkedin.com/pulse/cyber-security-invisible-threat-brett-gallant
https://zimperium.com/glossary/rogue-access-point

POINT OF CONTACT

Please contact PLTCOL JERRY V EMPIZO, Acting Chief, Cyber Security Unit, thru e-mail address csradacgroup@gmail.com or contact us by telephone number (632) 723-0401 local 7488 for any inquiries related to this CYBER SECURITY BULLETIN.