New Malware That Uses WiFi BSSID to Determine the Victim’s Location

The cybersecurity researchers at SANS Internet Storm Center’s Xavier Mertens recently recognized malware that utilizes an exciting method to discover the victim’s possible location. One of the interesting facts of this malware is that it does not use various GeoIP API services.

The experts affirmed that this malware usually assembles an infected user’s Basic Service Set Identifier (BSSID), or the MAC physical address of the wireless router or access point that is being used to connect through WiFi.

The hackers use GeoIP API services for this particular task, but there are many other ways through which they can find out the location that doesn’t need any access to those APIs.

However, the method isn’t exact, but it is still the most secure method of getting a user’s actual physical location based on the data that has been found on their computer.

[email protected]:~$ curl -s http://icanhazip.com/
81.246.x.x

This malware uses a second method that relies on grasping the infected user’s BSSID, as we have said above. Using this method, the BSSID could possibly be adopted by other malware operatives to double-check a victim’s geographical location.

[email protected]:~$ curl -s 'https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:0c:29:xx:xx:xx'
{"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1608552093}

According to Mertens, this method is also helpful to identify the location of the victim. The malware presents the MAC address of the default gateway (in my VM conditions) or the BSSID (the MAC address of the wireless entry point).

Moreover, these sorts of databases are very prevalent these days and are usually used by mobile app operators as alternative methods to trail users when they can’t get direct access to a phone’s location data.

In case if the experts check the BSSID upon Mylnikov’s database, the expert can see that it would enable the malware to completely determine the actual geographical location of the WiFi entrance point that the victim is using to access the internet.

And this method is a far more accurate method for identifying a victim’s geographical position; however, the hacker’s main motive is to check the victim’s location. 

That’s why the hackers usually check for a victim’s location as some groups want to affect victims from the countries, as they don’t have the intention to infect victims in their native country.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Leave a Reply