What are Watering Hole Attacks?

Targeted web attacks use software to decide which potential victims should actually be attacked. If a visitor is a specific target, or matches a target profile, the attack is launched, otherwise nothing happens.

Protecting Against Targeted Web Attacks

Targeting makes attacks more likely to succeed. Consider the Nigerian prince scams, or fake bank “confirm your email” tricks. They are obviously bogus to even the casually security-aware user. In many cases a phishing message will talk about accounts with websites you have never visited. A targeted attack takes advantage of available knowledge about the target. Messages are specific and plausible, mentioning real accounts or actual meetings and activities.

Targeting takes advantage of the slowest evolving part of security infrastructure, the human brain.

The second reason attackers like highly targeted attacks is that it keeps their tools from being discovered, and subsequently detected, for as long as possible. A new zero-day exploit might cost an attacker upwards of $50,000. Once a patch is released, the effectiveness of the attack plummets. Security researchers are constantly watching honeypot email accounts and scanning the web for new kinds of attacks, which they immediately report and for which they create anti-malware signatures.

Sophisticated attackers have realized that if they only attack a small number of high value targets, their exploit is much less likely to be noticed, so they are able to continue their attacks successfully and undetected for a long time.

Targeted watering hole attacks are a perfect example of this. The attacker compromises a website frequented by a population of interest, installing a program which watches all the visitors. When any of the desired targets are seen, the program launches an attack on the browser, infecting the user’s computer. In a recent case, Forbes.com was compromised and the attackers specifically went after DoD personnel and Chinese dissidents.

Fortunately there is a flip side to this targeting. Because attackers design their tools to only go after a specific list of victims, identity masking prevents the attacks completely. If a targeted user appears to be a generic website visitor the attack will lay silent waiting for a recognized victim.

Passages protects users by masking their IP address using the Passages VPN and by removing all tracking code (along with all malware) when restarting the Passages Virtual Machine. Without the IP address or any other tracking data, the user can’t be identified or targeted. To the attacker, they look like just one of the herd.