Waterhole Attacks – Compromised Websites
Illustration Caption – Just as a predator patiently stalks prey at a water hole, a routinely visited website is compromised and placed in direct path of an unsuspecting user in order to deliver malware. This type of web attack is called “waterholing”.
What is a waterhole attack?
Briefly defined, a waterhole attack, or waterholing, refers to a compromised website that is routinely visited by a targeted person, who is then redirected to a malicious website where malware is delivered.
The use of compromised websites to deliver zero-day exploits is not new. The difference now is that attackers are profiling web usage behaviors of targeted individuals and probing the websites they visit for vulnerabilities. To cite an example, an attacker attempting to gain access to systems of a software development firm may identify a specific forum frequented by that company’s developers. The attacker then compromises the web forum and places malicious code in the path of the developers that diverts them to a separate website that hosts the vulnerability exploit code. Such an approach has been used in both APTs and spear phishing campaigns to great effect over the last 3 years.
The ease with which individuals with minimal to no security background can deploy insecure web applications coupled with a rise in client-side vulnerabilities have driven the efficacy of water hole attacks higher. One need only visit a bookstore or websites detailing web application development – whether JSP, ASP or some other framework – to see that these instructional materials, while suitable in teaching proper coding methods, fail to discuss key concepts in basic web security such as input sanitization, architecture, etc. Malicious users that now focus on client-side attacks, as server-side threats are on the decline; further exploit this gap in knowledge. In short, the confluence of these two factors contributes to the continued prevalence of the threat of waterholing.
The continued use of the Internet by employees of both the public and private sectors in the course of their expected tasks coupled with the vulnerabilities found in existing technologies and platforms has created an environment where threats such as APTs and spear phishing spread easily with waterholing.
How to detect and combat waterhole attacks?
In reality, the solution to this problem is three-fold. First, employees or individuals at risk should be made aware of the threat associated with their Internet activity. Second, the instruction made available to web developers should include security alongside functionality. Third, web security vendors should ensure their network or endpoint security offerings are able to detect water hole attacks as they happen, or partner with a malicious website as a means to prevent their products from being used as enabling mechanisms for waterholing and other web attacks.