Posted on January 5, 2021 at 12:36 PM
A recent report reveals that some malware threat actors are using BSSID or what is called WiFi AP MAC to identify victim computers.
The malware operators looking to find out the location of the target host usually depend on a simple method of taking the victim’s IP address and checking it against an IP-to-geo database to get their geographical location.
They use a BSSID-to-geodatabase like Mylnikov to check the victim’s IP address, allowing the malware to find out the physical location of the wifi access point being targeted.
When the malware threat actors use both methods by checking the IP address and finding the geographical location, it helps them determine that the original IP-based location search with the BSSID method is correct.
The first technique not effective
According to the report, these threat actors generally determine the victim’s location because they don’t want to infect victims from their county to avoid the attention of law enforcement.
In other instances, the malware operators could be looking for a specific location when they want to ensure their attacks are only for specific countries, such as state-sponsored hackers.
But there is usually one problem with IP-to-geo databases. They are notorious for having widely inaccurate results.
In some cases, data centers and telcos usually rent or buy IP address blocks from the free market. As a result, some of the IP blocks could be given to other institutions in another country or region from their original owner.
A second technique discovered
Although the approach does not yield accurate results, hackers still find it useful when limiting the number of their victims to include mostly those they are specifically targeting. And the method is still one of the best ways to determine the actual location of the user based on the information available on the computer.
But it seems some threat actors have found out another way to detect users’ geographical location that could be more effective.
A security researcher at SANS Internet Storm Center Xaver Mertens revealed that some threat actors are using a new malware strain for geographical location identification.
The second method uses the Basic Service Set Identifier (BSSID) of infested users to get their location.
It is the user’s WiFi access point or the MAC physical address of the wireless router. According to Mertens, the new malware strain he observed collects the user’s BSSID and check it against a free BSSID-to-geodatabase at Mylnikov.
Mertens also stated that the databases are not difficult to gather these days as they are utilized by several mobile app operators to track users in absence of direct access to their phone’s location data.
A good example is the WIGLE app, which is a very popular service for this type of BSSID-to-geo service.
When the threat actors check the BSSID using Mylnikov’s database, it will enable the malware to find out the physical location of the victim’s WiFi access point. The new process is even more accurate than the previous technique, which means the threat actors are more effective in the search of geographical location.
Although the second technique of double-checking the victim’s geographical location is not very common today, the method has proven to be more beneficial to the users. And with its added benefits of efficiency, the researcher believes it won’t take long for other malware operators to start adopting the technique in the future.
Protecting against exploits
Several businesses have moved from wired to wireless technology. As a result, they are now more exposed to security issues as threat actors take advantage of any loophole.
Many businesses also do not carry out an effective risk analysis. As a result, the vulnerability are may not be identified and addressed on time before the threat actors launch an attack.
Due to these flaws and their exploitation ease, wireless network attacks are usually common.
The attackers are always looking for new and more efficient ways to exploit their victims and gain access to private and sensitive data. Security researchers have advised users to quickly change their default SSID and password, which will make it more difficult to exploit their WiFi access point.