Geolocation Tracking and Cloaking of Malicious Web Sites

Web site cloaking is a process in which varying HTML content is delivered to end users based on the attributes associated with the client agent and its interaction patterns. Cloaking poses significant challenges in detection of malicious web sites. The challenge arises due to its simplicity in implementation and its effectiveness in bypassing the detection engines. A malicious web site can deliver a benign content to a requesting client on the server side and consequently bypass detection, regardless of the detection engine used by the client. We performed large-scale real-world experiments to study cloaking techniques used by malicious web sites. We focused our research on malicious web sites using geographical information associated and derived from the IP address and language preferences of a visiting client’s browser. Our study validated our hypothesis that client browser’s preferred language settings and geographical information of an IP address taken in isolation, change the behaviour of a malicious web site. We also measured the effects of IP geolocation and language settings on the behaviour of malicious web sites irrespective of other factors.