THE BLOG

Down at the Watering-Hole

09/07/2013 13:58 BST | Updated 07/09/2013 10:12 BST

You may have heard the terms 'drive-by download' and 'spear-phishing'.

Drive-by downloads are a common method used to spread malware. Cybercriminals look for insecure web sites and plant a malicious script into HTTP or PHP code on one of the web pages. This script may install malware directly onto the computer of someone who visits the site, or it may take the form of an IFRAME that re-directs the victim to a site controlled by the cybercriminals. In many cases the script is obfuscated, to make it more difficult for security researchers to analyse it. It's called a drive-by download because it requires no interaction from the victim - beyond simply visiting the compromised site. They get infected automatically - and silently - if there's an insecure, unpatched application on their computer.

Phishing, a form of social engineering, involves tricking someone into disclosing personal information that a cybercriminal can use to assume the victim's online identity. Typically this means sending spam e-mails to a large number of people. They're made to look like e-mails from a bona fide financial organisation, in the hope that some of the people who receive the message will be fooled into thinking that it's a legitimate and will respond by clicking on a link in the body of the e-mail. If they do, they're redirected to a fake web site where they are asked to disclose personal information - such as usernames, passwords, PINs and any other information that cybercriminals can use. Standard phishing e-mails are speculative in nature - and most of us have received these at some time or other.

Spear-phishing is just a targeted version of the same thing. In this case, the e-mail is directed to a specific person within a target organisation, in the hope that they will disclose information that allows the attacker to gain an initial foothold within the company. The cybercriminal use data that people post online to add credibility to a spear-phishing e-mail. This may include information posted on a company web site, snippets of information that people disclose in social networks or things they publish in public forums. For example, if the sales director of a company tweets about his holiday in Greece, or his business trip to Berlin, this can be referred to in an e-mail to make it look more credible. If the e-mail appears to come from a trusted colleague in IT, it's even more likely that he will respond to the e-mail because he thinks it's legitimate. The widespread use of social networks, and our tendency sometimes to over-share, has given cybercriminals more raw data to mine.

When you combine the two approaches (drive-by downloads and spear-phishing) you end up with what's called a 'watering-hole' attack. The attackers study the behaviour of people who work for the target organisation, to learn about their browsing habits. Then they compromise a web site that is frequently used by employees - ideally a web site run by a trusted organisation that is a valuable source of information. Ideally, they will use a zero-day exploit (one that isn't known by the application vendor and for which there is no patch). So when an employee visits a web page on the site, they will get infected - typically a backdoor Trojan will be installed that allows the attackers to access to the company's internal network.

In effect, instead of chasing the victim, the cybercriminal lies in wait at a location that the victim is highly likely to visit - hence the watering-hole analogy.

It's not a new technique - watering-hole attacks date back to 2008. But we've seen an increase in this approach recently, as the number of targeted attacks has grown. Recent examples include attacks targeting Apple, Facebook and Microsoft and Tibetan and Uyghur groups.

Effective mitigation of such attacks means implementing technology that blocks the use of zero-day exploits, so the malware can't propagate.

www.kaspersky.co.uk