Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Watch out for waterhole attacks — hackers' latest stealth weapon

Roger A. Grimes | May 22, 2013
It's time to learn about waterhole attacks, where sites with tailored malware await visits by certain companies' employees

The bane of the computer security world is how long it takes to recognize and respond to new attack paradigms. Name a major threat  the boot virus, macro virus, email attachment, or Web JavaScript redirect  and it seems to take years to respond adequately.

So here's an early warning: Waterholes should be on your radar.

In waterhole attacks, the bad guys poison a website frequented by you and/or your company with the express goal of compromising your environment. Either the hacker maliciously modifies the website code itself so that malware is sprung on the user or some desired object on the website is poisoned. For example, hackers may maliciously modify a trusted applet, and when downloaded by visitors, it opens a backdoor or installs other malware.

It's like targeted spear phishing, only without the email.

Waterholes have already compromised high-profile companies, including Twitter, Microsoft, Facebook, and Apple. These sorts of attacks are a tailored to the victim, down to the computer platform. Assuming you're safe because your computer platform isn't attacked as commonly as others will just lull you into a false sense of security.

Waterhole attacks actually started years ago. My favorite real-life example: Hackers uploaded a few dozen admin tools to popular open source websites, which were downloaded and used by hundreds of thousands of website administrators. One of the most popular tools was a website admin console; another was a Web page visitor counter. Both contained a simple URL that loaded a small logo along with the applet. The author's open source contract said that anyone could use and modify the applet as needed, as long as the URL was left intact in original form without modification. Harmless enough -- or so everyone thought and so it seemed for many months.

Then one day the URL pointing to the logo graphic ended up pointing to a JavaScript redirection link instead, which prompted visiting users to install malware. It was pure evil genius. By changing what the URL was pointing to, tens of thousands of users were instantly infected on their next visit.

But even this trick isn't new. Decades ago, one of Unix's original creators gave away a backdoor-encoded log-on screen, which thousands downloaded and used. Thus, he made the point — at a huge public conference, no less — that you can't trust code you don't write yourself. Decades later, we still haven't learned the lesson.

The difference is that these sorts of attacks used to be fairly rare. Now I'm hearing about and see them pop up weekly. Perhaps it's just one sophisticated APT (advanced persistent threat) group using them, but success breeds followers. You can bet that all the world's full-time cyber criminals are paying attention.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.