Broader spearphishing campaigns and watering-hole attacks look to compromise and gather intelligence on broader classes of targets

Dark Reading Staff, Dark Reading

January 10, 2013

4 Min Read

In the final days of 2012, a group of attackers used exploits for a zero-day vulnerability in Internet Explorer to attempt to exploit the machines of visitors to the Council on Foreign Relations website.

The strategy, known as a watering hole attack, looks to compromise the systems of individuals with certain interests or who work in specific fields by launching drive-by attacks from websites that cater to those fields. While the CFR attack included an exploit for a previously unknown flaw in Internet Explorer, the incident is also notable because it continues a trend toward less focused targeted attacks, security researchers say.

"Waterhole attacks are interesting because they are targeted attacks that are less targeted," says Patrik Runald, senior security research manager with Internet security firm Websense. "Maybe the targeted attack over e-mail didn't work, or they don't know who in the organization -- or even which organization -- is of interest, so ... they throw a wider net and compromise a website that has the audience that they are interested in."

Spearphishing is a much more focused effort that works in many cases, but when there is a lack of information or the need to evade e-mail-focused defenses, waterhole attacks may be preferred. In many cases, attackers will combine the attacks, says Scott Gréaux, vice president of product management and services at security-education firm PhishMe.

"In a targeted attack against a particular organization, attackers will still use the traditional spearphishing model, but leverage the waterhole technique to evade some of the additional defenses that are in the security stack."

The broadening of targeted attacks is one of the trends that security researchers see for the coming year. Other trends include the use of victims' security concerns to convince them to click on a link in an e-mail, and that more than a third of attacks occur on Friday to hinder any response to the incident, according to an October report by Websense.

The changes are mainly driven by attackers need to foil digital defenses, says Robert Hansen, CEO of hardened-hosting provider Falling Rock Networks.

"Over the last five years, the anti-phishing filters have made it harder for phishers to spoof e-mails, so they are having to take different approaches," Hansen says. "It does not change the attack all that much, but it does change the tricks."

Watering hole attacks are the latest trick. While some researchers argue that the concepts behind watering hole attacks are not new, the modern version of the attack is relatively recent. In 2010, several attacks compromised specialized websites to host attack code, according Websense. In its Elderwood Project research paper on likely nation-state attacks, Symantec found that, starting in 2009, attackers increasingly used compromised Web sites to focus on populations of interest, rather than just individuals. In the latest incident, for example, the attackers likely netted some government workers and think-tank analysts by compromising the Council on Foreign Relations website.

[Series of sophisticated attacks could be driven by organized crime or a nation state, Symantec says. See Aurora, Other Zero-Day Attacks Linked In 'Elderwood' Study.]

In addition, spearphishing and waterhole campaigns will likely focus increasingly on smaller businesses, especially those that supply services to larger companies, says Paul Wood, cybersecurity intelligence manager with security firm Symantec.

"Small to [midsize] businesses are the weaker link in the supply chain," Wood says. "Those businesses do not have the same intrusion prevention and intrusion detection technologies as the large enterprises."

The attacks add a level of indirectness that can help attackers hide their intentions, especially if they initially aim at a smaller contractor or service provider, Falling Rock's Hansen says.

"If you directly try to attack any target, the chances that you get caught is way, way higher, but if you focus on a third party who is a contractor and has a forum where they hang out, it is less likely that anyone will attribute the attack to a targeted effort," he says.

Companies should harden their end-user systems against compromise by keeping them updated, using the latest -- and, ostensibly, the most secure -- version of an acceptable browser, and removing any plug-ins or other third-party software that could create more holes to be exploited by an attacker.

On the network side, companies should be looking at checking for malicious content before allowing a Web page to run code inside their networks, says Websense's Runald. Reputation systems, which have become popular in the past two years, are not agile enough to respond to a legitimate Web site that becomes compromised. Instead, checking content in real time is necessary, he says.

"It must be done at the point of click and not at the point of entry [into a reputation system]," Runald says, "because we have seen content change between going into the system and the time a user clicks on it."

While Websense does not have independent data on how many companies are dynamically checking Web pages, about one in five PhishMe customers use technology to prefetch Web pages before delivering them to the user, Gréaux says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights