• United States




Watch out for waterhole attacks — hackers’ latest stealth weapon

May 21, 20134 mins
Data and Information SecurityHackingMalware

It's time to learn about waterhole attacks, where sites with tailored malware await visits by certain companies' employees

The bane of the computer security world is how long it takes to recognize and respond to new attack paradigms. Name a major threat — the boot virus, macro virus, email attachment, or Web JavaScript redirect — and it seems to take years to respond adequately.

So here’s an early warning: Waterholes should be on your radar.

[ Brace yourself for IT’s 9 biggest security threats. | Find out how to block the viruses, worms, and other malware that threaten your business. | Learn how to protect your systems with InfoWorld’s Security Central newsletter. ]

In waterhole attacks, the bad guys poison a website frequented by you and/or your company with the express goal of compromising your environment. Either the hacker maliciously modifies the website code itself so that malware is sprung on the user or some desired object on the website is poisoned. For example, hackers may maliciously modify a trusted applet, and when downloaded by visitors, it opens a backdoor or installs other malware.

It’s like targeted spear phishing, only without the email.

Waterholes have already compromised high-profile companies, including Twitter, Microsoft, Facebook, and Apple. These sorts of attacks are a tailored to the victim, down to the computer platform. Assuming you’re safe because your computer platform isn’t attacked as commonly as others will just lull you into a false sense of security.

Waterhole attacks actually started years ago. My favorite real-life example: Hackers uploaded a few dozen admin tools to popular open source websites, which were downloaded and used by hundreds of thousands of website administrators. One of the most popular tools was a website admin console; another was a Web page visitor counter. Both contained a simple URL that loaded a small logo along with the applet. The author’s open source contract said that anyone could use and modify the applet as needed, as long as the URL was left intact in original form without modification. Harmless enough — or so everyone thought and so it seemed for many months.

Then one day the URL pointing to the logo graphic ended up pointing to a JavaScript redirection link instead, which prompted visiting users to install malware. It was pure evil genius. By changing what the URL was pointing to, tens of thousands of users were instantly infected on their next visit.

But even this trick isn’t new. Decades ago, one of Unix’s original creators gave away a backdoor-encoded log-on screen, which thousands downloaded and used. Thus, he made the point — at a huge public conference, no less — that you can’t trust code you don’t write yourself. Decades later, we still haven’t learned the lesson.

The difference is that these sorts of attacks used to be fairly rare. Now I’m hearing about and see them pop up weekly. Perhaps it’s just one sophisticated APT (advanced persistent threat) group using them, but success breeds followers. You can bet that all the world’s full-time cyber criminals are paying attention.

How to defend against waterholes Waterhole exploits can crop up on popular websites or even on poisoned Wi-Fi hotspots located near your company. How do you defend against a threat that isn’t inside your network, whose assets you can’t control?

Start by making your users — especially those with access to critical infrastructure and data — aware of waterhole attacks. They are the prime targets. Just as we had to make people aware that their favorite website might serve up fake antivirus software, so too must we now warn them about waterhole attacks.

Education is a start, but we need effective detection and prevention controls, too. Start by monitoring the top 100 websites favored by the employees responsible for your critical infrastructure. Some might see this as a privacy invasion, but you don’t need to tie the websites to particular employees.

Inspect those websites for malicious coding on an ongoing basis. If your monitoring system detects maliciousness, block the traffic (and possibly warn the user). If the website continues to host malicious links, block the site. If the site is needed and desired by employees, contact the website’s admins and let them know they have a malware problem.

We all have our favorite watering holes. Unfortunately, it’s up to us to be the bouncer if the owner isn’t handling the job.

This story, “Watch out for waterhole attacks — hackers’ latest stealth weapon,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author