Another form of cyber-crime, Watering Hole Attacks, describes a scheme used by hackers once they detect a website frequently visited by an individual or group. Once he identifies the “watering hole:”
- He infects the site with malware.
- Once infected, he can analyze the site’s vulnerabilities and inject malicious code into portions of the site. This process usually involves JavaScript or HTML malware embedded into the site’s ads or banners.
- Clicking on the altered links takes the victims to a phishing site with more malware.
- Visiting these sites automatically downloads a script onto the visitor’s machines.
- The script can either grant access to the victims’ system or acquire their data and send it to the hacker’s command and control server.
Successful Watering Hole Attacks
- Facebook, Twitter, Microsoft, and Apple’s websites were all compromised through watering hole attacks in 2013.
- In 2017, the North Korean cybercrime “Lazarus threat actor group,” infected websites that their targets were apt to visit. These targets were from 104 organizations in 31 different countries. Most of the targets were financial institutions located in Poland, Chile, the United States, Mexico, and Brazil.
- Operating out of southeast Asia, the OceanLotus threat actor group compromised nearly 21 websites during a watering hole attack in 2018. The targeted websites included Cambodia’s Ministries of Defense, Foreign Affairs, and International Cooperation, together with several Vietnamese newspapers. The malware directed the users of the sites to a domain controlled and operated the OceanLotus group.
Watering Hole Defense
Corporate cyber-security professionals have several means to defend against hacker’s watering hole attack. Some of the most helpful include:
- Ensure that firewalls and other network security products are functioning properly.
- Inform employees about the nature of watering hole attacks.
- Configure security software to alert users about sites containing malware.
- Keep operating systems and all software programs up to date.
- Disguise online activity with a VPN or use private web browsing features.
- Frequently examine your company’s website for malware.
- Identify popular websites for employees and verify that they’re malware-free.
