How to Gather IP Geolocation Information to Investigate Malicious Addresses
In today’s digital world, it’s only a matter of time before a person or an organization becomes a cybercrime target. Multiple studies reveal that millions of people suffer from cybercrime every year. How can the Internet be made safer?
One way is to strengthen cybersecurity investigations by enriching them with Internet Protocol (IP) geolocation data. We explored this tactic in this post.
What Is IP Geolocation?
IP geolocation refers to the physical location of an Internet-connected device. Every device has a unique IP address, and its geolocation can be obtained through a bulk IP lookup or other means. In most cases, IP geolocation data includes the following:
- Country
- Region
- City
- Latitude and longitude coordinates
- Postal code
- Time zone
It can also reveal other crucial information, such as Autonomous System (AS) names and numbers, connected domain names, and Internet service providers (ISPs).
How Does IP Geolocation Contribute to Cybersecurity Investigations?
Geolocation data is increasingly being used in crime investigations. Determining the IP addresses of devices located near a crime scene can supplement other investigative steps to help law enforcement agents identify witnesses or suspects.
In 2018, for instance, federal agents submitted an affidavit requesting the list of all Google accounts located near the vicinity of a string of bombings in Austin, Texas. Ultimately, the suspect’s IP address and store receipts helped them identify the bomber.
IP geolocation could help in cybersecurity investigations, too. A cybercrime can be described as any malicious activity that targets and uses a networked device. Therefore, the threat actor’s device is imprinted with an IP address to help investigators track him.
IP geolocation data was among those that helped track down 21 individuals in December 2020 who allegedly purchased personally identifiable information (PII) from the WeLeakInfo website. Microsoft was also able to fight ransomware and shut down Trickbot servers by identifying the servers’ exact IP addresses.
How Can IP Geolocation Data Be Obtained?
IP geolocation data can be acquired through different means, including bulk IP lookups and using JavaScript.
Perform a Bulk IP Lookup
A bulk IP lookup allows you to get the geolocations of multiple IP addresses in one go. Upload a list of IP addresses on a bulk IP lookup tool and wait for the result. To illustrate, a list of Hafnium IP addresses in comma-separated values (CSV) format was uploaded to a bulk IP lookup tool. The file contained 92 IP addresses and was processed all at once.
The image below shows part of the results.
Hafnium is a relatively new cybercrime group targeting Microsoft Exchange clients. Identifying the IP geolocation data of IP addresses tagged as indicators of compromise (IoCs) can help in the following ways:
- Cybersecurity researchers and professionals can use the IP geolocation data returned by the bulk IP lookup tool to dig deeper into the IoCs and discover other possible artifacts.
- Microsoft can approach law enforcement authorities with the list of IP addresses and their geolocation data to facilitate the takedown process, as they did to address the Trickbot ransomware in October 2020.
- The IP geolocation data of the IoCs can help Microsoft Exchange clients implement IP or location-based blacklisting while the takedown process is still ongoing.
Use JavaScript
An IP address’s geolocation can be found through JavaScript using an application programming interface (API). For the sake of illustration, let’s use the simple-geoip JavaScript library. Below is an example of a few lines of code that tells the program to obtain the geolocation data of IP address 8[.]8[.]8[.]8, a Google-owned IP address.
const GeoIP = require(“simple-geoip”);
let geoIP = new GeoIP(“your geoipify api key goes here”);
geoIP.lookup(“8.8.8.8”, (err, data) => {
if (err) throw err;
console.log(data);
});
Running the program above returns the following geolocation data:
{
ip: ‘8.8.8.8’,
location: {
country: ‘US’,
region: ‘California’,
city: ‘Mountain View’,
lat: 37.40599,
lng: -122.078514,
postalCode: ‘94043’,
timezone: ‘-07:00’,
geonameId: 5375481
},
domains: [ ‘0–9.ru’, ‘000180.top’, ‘0002.by’, ‘00027.hk’, ‘00049ok.com’ ],
as: {
asn: 15169,
name: ‘Google LLC’,
route: ‘8.8.8.0/24’,
domain: ‘https://about.google/intl/en/’,
type: ‘Content’
},
isp: ‘Google’
}
Investigating cybercrime has become quite challenging, with the massive rise in cyber attacks in recent months. However, data, such as IP geolocation, can help enrich investigations, and in some cases, even deter cybercrime.