How Do They Find Us? A Study of Geolocation Tracking Techniques of Malicious Websites

Abstract Geolocation cloaking is a process in which varying and customised web content is delivered to visiting users based on the geographical information derived from the users’ system and network variables. Geolocation cloaking allows a malicious web site to: 1) Increase the success rate of an attacks by targeting a specific population using sociocultural attributes of the visiting user and, perform targeted social engineering attacks. 2) Deliver benign content to requesting users (or detection systems) who do not reside in the geographical location specified by the attacker and, subsequently limit exposure and bypass detection entirely regardless of the detection engine utilised. In this paper we provide an overview of the range of geolocation detection techniques which could potentially be used to estimate the location of a visiting user and perform geolocation cloaking attacks. We discuss these systems in terms of their operation and feasibility to be utilised by a malicious web site.