So here's an early warning: Waterholes should be on your radar.
In waterhole attacks, the bad guys poison a website frequented by you and/or your company with the express goal of compromising your environment. Either the hacker maliciously modifies the website code itself so that malware is sprung on the user or some desired object on the website is poisoned. For example, hackers may maliciously modify a trusted applet, and when downloaded by visitors, it opens a backdoor or installs other malware.
It's like targeted spear phishing, only without the email.
Waterholes have already compromised high-profile companies, including Twitter, Microsoft, Facebook, and Apple. These sorts of attacks are a tailored to the victim, down to the computer platform. Assuming you're safe because your computer platform isn't attacked as commonly as others will just lull you into a false sense of security.
Waterhole attacks actually started years ago. My favorite real-life example: Hackers uploaded a few dozen admin tools to popular open source websites, which were downloaded and used by hundreds of thousands of website administrators. One of the most popular tools was a website admin console; another was a Web page visitor counter. Both contained a simple URL that loaded a small logo along with the applet. The author's open source contract said that anyone could use and modify the applet as needed, as long as the URL was left intact in original form without modification. Harmless enough -- or so everyone thought and so it seemed for many months.
But even this trick isn't new. Decades ago, one of Unix's original creators gave away a backdoor-encoded log-on screen, which thousands downloaded and used. Thus, he made the point — at a huge public conference, no less — that you can't trust code you don't write yourself. Decades later, we still haven't learned the lesson.
The difference is that these sorts of attacks used to be fairly rare. Now I'm hearing about and see them pop up weekly. Perhaps it's just one sophisticated APT (advanced persistent threat) group using them, but success breeds followers. You can bet that all the world's full-time cyber criminals are paying attention.
Sign up for CIO Asia eNewsletters.