Watering Hole Attacks

Forbes.com Watering Hole Attack
(shows you can lead a horse to water & make him drink!)

The news that Forbes website was compromised in November leading to thousands of its customers being potentially infected with malware, has provided a wake-up call for us all.

The term watering hole attack refers to the idea that the cybercriminals identify. Websites that will appeal to the demographic that they are intent on exploiting.

Potentially, your customers. The analogy being the obvious one of a predator, (in this case Malware), lying in wait for its prey by a frequently visited watering hole (Your website). I’m sure you worked that one out for yourself.

The exploit relies on the fact that often the company website is poorly defended, and it will be relatively easy to find an exploitable weakness in the security of the site or the underlying code. The perpetrators insert their malware, and the popularity of your website and your SEO effort will do the rest.

In the case of Forbes, (Invincea and iSight Partners said in their joint report), the attack exploited two zero-day vulnerabilities. One in Microsoft’s Internet Explorer, and the other in Adobe’s Flash Player.
Adobe fixed the flaw back in December and Microsoft updated Internet Explorer as part of its Patch Tuesday release.

The exploit appears to have been targeting senior executives, managers and professionals in the defence and financial services industries.
The very fact that two zero day vulnerabilities were used indicates that this attack was a serious attempt at compromising these high value users of Forbes website, zero day vulnerabilities suggest the attacker was sophisticated and determined, the use of two zero day vulnerabilities emphasises just how determined they were in pursuing their quarry.

The malware infection was inside the “Thought of the Day” Flash widget, which appears whenever users try to access a Forbes.com page. Visitors didn’t need to do anything other than to try to load Forbes.com in their browser to get infected. It is probable this campaign focused on cyber-espionage, not cybercrime.

It is a fact Watering hole attacks are insidious, because it wouldn’t occur to anyone that these sites could be infected.

Of course the Forbes incident was the top of the tree as far as these things go, but it does emphasise that everyone is at risk. You should realise that it is common practice for criminals to infect legitimate websites, that’s your business website, with the aim of passing on malware to your potential clients.

Forbes probably have a whole department dedicated to the upkeep of their website, you probably speak to your web designer a couple of times a year. Little wonder that because the scripts and coding that underlie the site are rarely updated or patched that they are wide open to this sort of attack.

WordPress based websites are notoriously insecure, not surprising as they make up such a big proportion of published websites, but so are most other platforms. So what is the answer? Well we would suggest you speak to an IT company who understand just how significant security is to your business. Some one that gets the bigger picture.
Your customers come to you because they want your products and trust you. It is in your interest to make sure that in visiting your site, the only thing your customers leave with are an enduring good impression of your organisation.