Information security is littered with bad analogies. And none sounds sillier than a watering hole attack, which plays off the tactic that dominant animals use when stalking food by loitering at a watering hole. Rather than chase their prey, a lion will wait for prey to come to it. Hackers are doing the same thing to a great degree of success. Rather than using a spear phishing email campaign to lure prey to them, hackers are infecting vulnerable sites of a common interest to their targets, and then redirecting them to malware and more badness.
Make no mistake, while watering hole attacks cast a wider net and snare more victims than the attacker wants, these are targeted attacks. Mobile developers at Facebook, Apple and Twitter found out the hard way when their machines were popped by malware hosted on a popular iOS mobile developer forum. Was the attacker after Facebook, Apple and Twitter? Maybe. Or maybe they wanted to own mobile applications and mobile phones on a massive scale?
The question remains unanswered, but one thing is certain: watering hole attacks work. They work because attackers are compromising legitimate websites that for the most part cannot be blacklisted, and are often doing so with zero-day exploits for which there are no antivirus or IDS signatures. Banning mobile developers from surfing to an important resource they need to do their job isn’t a feasible strategy. Telling government officials they cannot use nor contribute to an online foreign policy resource isn’t realistic. Hackers prey on this dynamic, and also understand the shortcomings surrounding secure software development and how difficult it is for IT security to effect change on programmers whose incentives are to push products out the door on time, secure or not.
“How can we train employees to be wary of watering hole sites? It doesn’t make any sense and I can just see why some CISOs are getting frustrated,” said Anup Ghosh, CEO and founder of security company Invincea. “At least with spear phishing, you can blame the user even if it’s not their fault. With watering hole attacks, they user can always say ‘I had to go there for work, what do you want me to do?’”
Most high-profile watering hole attacks have been loosely attributed to nation states, but in a nifty about-face, these well-funded state-sponsored hackers are borrowing techniques from the arena of cybercrime. Watering hole attacks are a riff on drive-by downloads with subtle differences. Drive-by attacks are indiscriminate about their victims. Cybercrime gangs want scale and want it quickly; they want banking credentials and personal information because fraud and identity theft is their game. With watering hole attacks, the end game is espionage. Hackers’ motivations are to steal intellectual property or gain access to sensitive computer systems.
To date, not only have large technology companies such as Facebook, Apple and Twitter been snared at the watering hole, but so have regional banks, activist groups, government foreign policy resource sites, manufacturers, the defense industrial base, and many other companies from varied industries. Hackers are using Java zero-day exploits in their attacks, as well as exploits targeting flaws in Adobe Reader and Flash, or Internet Explorer—all ubiquitous, cross-platform software platforms.
“What amazes me is the general effectiveness of the attack category in general, whether it’s a commodity drive-by or a watering hole, it works and it works well,” said Mike Sconzo, CTO of security consultancy Visible Risk.
Hackers don’t necessarily get a better level of targeting with watering hole attacks, but they do gain a degree of efficiency with these types of attacks. It’s simple to Googledork sites looking for vulnerable versions of web servers to infect, rather than spending time doing reconnaissance on social networks and forums, and building complex profiles of people and the systems they use. Nation state-sponsored attackers certainly have gone to these lengths in the past to cast out phishing messages to initially infect targets. But watering hole attacks such as VOHO and the attacks on the Council of Foreign Relations have removed spear phishing from the equation.
“In today’s world, less and less people are clicking on links they receive in emails, but they are still visiting various websites each day. Phishing is like sending random people poisoned fruit cakes and hoping they eat it, but a watering hole attack is like poisoning a town’s water supply and just waiting for them to take a sip. One could never happen, while the other is only a matter of time,” said Candis Orr, researcher with Stach & Liu. “A successful phishing campaign would require knowledge on what sources the targets usually receive emails from, within which emails do the targets actually receive and click links, and how to spoof an email address to look like it came from one of those sites.”
Experts, however, don’t see this as the end of spear phishing.
“Financially, it makes more sense to use a watering hole attack than spear phishing when you want large profit fast,” said Barry Shteiman, senior security strategist at Imperva. “But when you’re talking intellectual property, then spear phishing makes more sense most of the time because you can target a specific audience rather than just a website.”
Having major companies such as Facebook, Apple and Twitter disclose they fell victim to watering hole attacks shines more light on the problem.
“It creates outrage. When we see Google or Apple compromised and losing intellectual property to other countries, it outrages us that it’s going on,” Invincea’s Ghosh said. “We can start to put pressure on the administration to use diplomacy to fight this. If Ford and GM are compromised for their next-gen auto design, that’s serious business.”