In our recent post about anti-malware myths, we spoke of visitor dependent malware. Three of the methods used to identify which visitors to attack and which to hide from are geolocation awareness, IP address awareness, and language awareness. Malware and phishing content hidden on a business’s website may infect or ignore visitors from some locations but not others. This behavior can help malware to hide on a compromised website for weeks, months, or even years.
There are a variety of methods used to filter out what visitors are attacked, and there are different motivations for doing so.
Four of the reasons why malware on a website may be geolocation aware are:
In some countries a cyber-criminal can only face legal charges is if there are victims in their own country. Geolocation awareness allows these cyber-criminals to avoid legal action by making sure victims are not in their countries.
For an attack to succeed, sometimes it is required that the victim to understands the language they are reading. This is most commonly associated with phishing attacks. It does not matter what language your website is in, a compromised website can display attacks in a different language for each visitor. By identifying the language of the operating system, a person living outside of Japan, but using a Japanese OS may be shown a webpage in Japanese; even if the website is hosted in South America. The location and language of the compromised web server do not matter.
At times cyber-criminals will attack one geographic region or even country before expanding their attack or changing the focus of the location. In order to most effectively target their campaigns, they must know where the intended victims are located.
IP address identification is not only used to identify the location of targeted visitors, it is used for stealth. A very common use of IP awareness is to make it harder for researchers to find malicious software and webpages. The code on compromised websites will often identify entire blocks of IP addresses belonging to security companies so that their security researchers will not see the malware and exploits. But since not all researchers work for security companies some webpages are designed to track individual IP addresses and to only display or deploy malicious content one time per visitor. This means a researcher has one shot at seeing the malicious content. This also means victims frequently have no idea where the attack came from.
How do we detect and remove the geolocation malware from websites?
Quttera’s ThreatSign is not fooled by these tactics. ThreatSign scans what is actually on the server, not what the attacker chooses to display or not display. Through the use of highly sophisticated heuristics and machine learning ThreatSign can identify malware that has never been seen before even when it is geolocations awareness, IP awareness, Language awareness and other evasive techniques.
No product offers 100% protection, but if a compromise occurs our engineers can remove the malware, identify where the compromise came from and help our customers patch and harden their web servers.