Watch out for Waterhole Web Attacks
Just as lions look for gazelles with their defenses down at waterholes, hackers are spreading malware through websites popular with specific groups of users.
As every kid who grew up watching "Wild Kingdom" knows, there are few places in the jungle more dangerous than a watering hole because of the hungry lions lurking there with hopes of picking off a gazelle or two.
Now hackers are using a similar technique to prey on unwitting website visitors. Alex Watson, director of Security Research for Websense, explains that hackers plant malware on sites popular with their intended victims, catching some of them in the same way a lion catches a gazelle with its guard down.
Earlier this year, for instance, hackers were able to circumvent security systems at Google, Apple, Twitter and Facebook after employees of those companies visited a site popular with software developers. Hackers usually employ a backdoor approach to install malware that is then used to harvest documents, email contacts, social contacts and passwords. In these instances, valuable intellectual property is likely the object of hackers' desire.
More recently hackers targeted visitors to the Central Tibetan Administration website and other sites with a pro-Tibet slant. These attacks were likely motivated by political or social objectives.
Watson called waterholing an "evolution in the security landscape" that occurred when security professionals got better at deflecting email-based attacks that indiscriminately targeted large numbers of users. "That forced criminals to come up with new tactics," he said.
Old Dogs, New Tricks
The attacks do use many tried-and-true techniques, agreed Watson, but there are some interesting twists. For instance, some of the attacks seem to target only specific website visitors, delivering malware to some but not all who land on a site. Hackers also appear to use varying levels of sophistication, employing simple tactics for small and relatively unsecure sites but stepping up their game for those with stronger security.
"It's interesting to see criminals tailoring their attacks," Watson said. "This avoids giving away techniques and procedures. They do not want to expose their best tools."
As with many Web-based attacks, hackers often leverage sites with outdated software or a lack of patches for known vulnerabilities, Wosotowsky said. That is why it is important to download security updates as soon as they become available.
Defending Against Waterhole Attacks
Wosotowsky recommended using safe search tools like McAfee's SiteAdvisor, which informs users if the sites in their search results are safe. Another helpful McAfee product, he said, is Internet Security for Mac, which is set by default to receive automatic daily updates to ensure PCs are protected from new threats.
Sites using popular programs with well-known security vulnerabilities are a frequent target, Watson said, mentioning WordPress as an example. "It might be better to use managed or hosted WordPress, so you know the infrastructure will be updated regularly." He also suggested using Web application firewalls, disabling Java in the browser if it is not an absolute requirement, and even switching to less popular browsers or operating systems since hackers tend to focus on those with the most users.
Watson said the best defense against these types of attacks is comprehensive data leak prevention solutions such as Websense's Data Security Suite that provide multiple layers of defense encompassing Web, email and mobile security. "When you put these kinds of solutions together so they can talk to each other, it becomes really hard to pull off attacks like this because you will be stopped at some point in the attack chain," he said.
Ann All is the editor of eSecurity Planet and Enterprise Apps Today. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.
By Jeff Goldman
July 31, 2013
62 percent of enterprises say their endpoint security software isn't effective for detecting zero-day and/or polymorphic malware.