A big news story always attracts big crowds. Inevitably, those crowds attract criminals looking to take advantage of the distracted and excited.
Cybercriminals are no different. They keep their finger on the pulse of trending news, using major events as a point of entry.
The recent birth of Prince George provides a perfect case study of the tactics often used and tips for avoiding hackers’ tripwire links.
The watering hole attack
As millions of people searched for the latest news on the royal baby, emails promising a “live updates” and even an exclusive “hospital-cam” were reported by Kaspersky Lab in the hours leading up to and following the birth. The links, however, pointed to a once-legitimate but recently compromised and “trojanized” website infected with a Blackhole exploit kit—an originally Russian tool that has become one of the most prevalent hacking tools in existence today. Once a victim clicks the link, it triggers the download of malware such as a Zeus trojan virus, which is designed to log keystrokes and steal banking information.
Action Fraud UK recently warned against Twitter posts promising “#RoyalBabyBoy – Exclusive Pics!” In the U.S., the Better Business Bureau issued its own warning against Facebook friends liking “exclusive” videos of the new baby that can take curious clickers to dangerous websites.
These are all popular variations of a powerfully effective tactic called a “watering hole attack,” in which hackers wait for victims to come to them instead of actively seeking them out. It’s named after the way a lion will wait for a thirsty water buffalo to inevitably arrive at a watering hole on a hot day. Then, she attacks.
Like thirsty animals, many of us are easily predictable herds in one circumstance or another. If the royal baby didn’t catch your attention, perhaps the recent controversy over Ender’s Game author Orson Scott Card’s anti-gay marriage activism did. While the royal baby was being born, malicious links disguised as CNN articles about a possible Ender’s Game boycott were inflicting the exact same watering hole attack on science-fiction fans that royal fans were enduring.
Major events such as the Super Bowl, Osama Bin Laden’s death, the Boston Marathon bombing, and the election of Pope Francis were used to push tempting links promising “exclusive” and a “new” videos in front of curious and excitable Web surfers. A single click can potentially lead to infection if the user’s anti-virus software proved out of date or inadequate—or if another program, such as Adobe Flash or Internet Explorer, was vulnerable (and they all too often are).
The scalpel approach
Using a global event such as the royal birth or Super Bowl to attack is deemed a “shotgun approach,” designed to infect millions of people around the globe. In contrast, some watering hole attacks can be targeted at specific organizations or individuals by simply adjusting the watering hole. The focused use of this tactic has been called “subtle and graceful” by Will Gragido, senior manager at RSA Security. As opposed to the shotgun, this sort of attacker is using a scalpel.
A highly sophisticated Chinese hacking group known as Elderwood was famously accused of stealing intellectual property from the likes of Google, Lockheed Martin, Dow Chemical and more in 2010’s Operation Aurora using watering hole attacks.They have continued to use the tactic with increasing frequency and effectiveness, according to Symantec. The defense industry in particular has been infected repeatedly this way in the last year.
In July 2012, RSA FirstWatch reported on an attack called VOHO that compromised government websites, banks and human rights organizations. About 32,000 individuals visited the attack site, including 4,000 unique global organizations in state and federal government, academia, defense, and technology. The attack spread a Gh0st Remote Access Trojan virus that has the ability to stealthily hijack and operate a victim’s webcam, microphone, and ultimately, entire computer.
Likewise, in February 2013, hackers compromised the widely read iOS mobile developer forum called iPhoneDevSDK and used it to infect computers at Facebook, Apple and Twitter, reported Threatpost. The attackers knew who frequented that forum and, instead of attacking them head on, laid the trap at a favorite watering hole and eventually infected three tech giants.
Increasingly, hackers are attacking websites that employees and members of target organizations simply must use for work. Just as tech employees will often have to use a popular iOS mobile developer resource, government officials, journalists, businesses, and academics often have to access the website of the Council on Foreign Relations, one of the most influential think-tanks in Washington, D.C. When it was the target of a watering hole attack in for an entire week in December 2012, aggressors used a sophisticated “0-day” attack (i.e. an previously unknown method of attack) to put a wide range of globally influential organizations at risk of infection.
Many specifically targeted organizations are running into increasingly frequent and sophisticated 0-day attacks that anti-virus programs have little to no defense against. Security officers and their employers across the private and public sectors have grown frustrated with this persistent and growing threat. Its growing use has been one of the key catalysts in the Obama administration’s increasing focus on cybercrime and war.
While the likes of Google and Lockheed Martin have a lot to worry about, members of the general public will have a much easier time staying relatively safe for the simple fact that they’re not worth as much money and effort.
The cheaper and often dated attacks targeting the public can generally be thwarted, according to the Better Business Bureau, by avoiding promotions of “exclusive” or outlandish videos or articles, always hovering over a link to make sure the URL is correct, and keeping all of your software—including anti-virus programs—up to date.
In short, be careful what you click.
Illustration by Jason Reed