Malware uses WiFi BSSID for victim identification

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Checking the BSSID against Mylnikov's database would allow the malware to effectively determine the physical geographical location of the WiFi access point the victim was using to access the internet, which is a far much accurate way of discovering a victim's geographical position.

Using both methods together allow malware operators to confirm that the initial IP-based geolocation query is correct with the second BSSID method.

Malware operators usually check for a victim location because some groups want to make victims only inside specific countries (such as state-sponsored operations) or they don't want to infect victims in their native country (in order to avoid drawing the attention of local law enforcement and avoiding prosecution).

However, IP-to-geo databases are known for their wildly inaccurate results, as telcos and data centers tend to acquire or rent IP address blocks on the free market. This results in some IP blocks being assigned to different organizations in other regions of the globe from their initial/actual owner.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top