London: Visiting a booby-trapped website, the
bogus webpage designed for phishing, means inviting cyber
attackers to your home, a hacker turned security researcher
The attacker exploits the shortcomings in many routers --
the device which forwards data packets to their destinations
-- to find out a key identification number that can reveal the
victim`s whereabout in minutes, noted hacker Samy Kamkar said.
Demonstrating such an attack at the recently concluded
Black Hat hacker conference in Las Vegas, Kamkar described how
web attacks that begin with making contact with the target
(user) can be used to find a person`s physical location.
After making contact, the target is convinced to visit a
booby-trapped website designed by the attacker. Once the
victim clicks the attacker`s link, Kamkar showed how the
attacker can manipulate geo location data from Google to
pinpoint a victim`s precise location, the BBC reported.
Many people go online via a router and typically only the
computer directly connected to the device can interrogate it
for ID information.
However, Kamkar found a way to booby-trap a webpage via a
browser so the request for the ID information looks like it is
coming from the PC on which that page is being viewed.
He then coupled the ID information, known as a MAC
address, with a geo-location feature of the Firefox web
browser. This interrogates a Google database created when its
cars were carrying out surveys for its Street View service.
This database links Mac addresses of routers with GPS
co-ordinates to help locate them.
"This is geo-location gone terrible," said Kamkar during
his presentation. "Privacy is dead, people. I`m sorry."
Mikko Hypponen, senior researcher at security firm F
Secure, attended the presentation and said it was "very
"The thought that someone, somewhere on the net can find
where you are is pretty creepy," he said.
"Scenarios where an attack like this would be used would
be stalking or targeted attacks against an individual," he
"The fact that databases like Google Streetview`s
Mac-to-Location database or the Skyhook database can be used
in these attacks just underlines how much responsibility
companies that collect such data have to safeguard it
correctly," said Mr Hypponen.
In 2005, Mr Kamkar created a worm that exploited security
failings in web browsers to garner more than one million
"friends" on the MySpace social network in one day.
Prosecuted for the hacking, Kamkar was given three years`
probation and 90 days of community service and paid damages.
He was also banned from using the net for personal purposes
for an undisclosed amount of time.