Wednesday, 17 April 2013

Beware The Watering Hole

Like any field science or engineering, information security (infosec) is littered with three letter abbreviations (TLAs) and buzzwords.  In infosec we also like to try to name the various types of attacks.  We hope that these are done using an analogy to make it clear the essence of the attack but sometimes, whilst it can help describe the essence of the attack, it can miss some important detail.

One important type of attack that has been coined recently is the "Watering Hole Attack".  The idea was that it was supposed conjure up visions of lions waiting at the watering hole for their prey.

Typically, these are taregtted atatcks as opposed to the scatter gun method used in many phishing attacks. Hence, it is used against groups of people who are quite resistnt to phishing attacks.

The attack assumes that the attacker can place some form of malware on alegitimate site.  Not a trivial task, but with enough research an atatcker can find a soft target which many of the target group use.  That soft target is easier to compromise that the mainstream systems that the group use.

Here I've tried to give a high level description of how these attacks work. The key steps in an attack are:
  1. The victim visits a compromised website
  2. This website, typically through an injected JavaScript element, redirects the visiting browser to an exploit site.
  3. This exploit site checks what software the visiting machine is running and runs a suitable exploit.  One of the most successful exploits relied upon a vulnerability in Java.
The basic modus operandi of the attack is not unique. Drive-by downloads use something similar by redirecting to exploit sites using, for example, IFrames.

However, the psychology behind it's success is subtle . It works on the basis that individuals will naturally trust, and as a group we develop strong trust, even when something is outside our group.

I suspect that we'll hear more of this style of attack, and that it will become a major theme in the attacks over the coming year.