How Does A Watering Hole Attack Work?
Water holing attacks originate by compromising trusted websites and infecting the computers or other devices that visit that site. A successful watering hole attack casts a wide net and has the potential to compromise a large number of users across multiple organizations. This flood of information is a double-edged sword, as attackers have to parse through a large amount of data to find information of value. Additionally, these attacks often exploit zero-day vulnerabilities, so their increased popularity means attackers are burning through zero-days faster, and companies are responding faster as well, stopping attacks earlier in the kill-chain.
These attacks are an effective tactic, that when executed properly, can deliver widespread damage on a large scale. Symantec released an excellent report describing the APT group “Hidden Lynx”, who the report describes as the inventors of the watering hole technique. The report details last year’s VOHO campaign, which targeted iOS developers, and impacted users at Facebook, Apple, and Twitter – showing the power of a water holing.
The Danger Of Indiscriminate Watering Hole Attacks
Instead of viewing indiscriminate watering-hole attacks as a replacement for spear phishing, they can be seen as an additional tool at adversaries’ disposal, which is what makes it so dangerous. Like all tools, spear phishing and watering hole attacks have specific strengths and weaknesses that suit them well for certain jobs while making them limited in other situations.
As described above, watering hole attacks gather huge amounts of data that attackers will have to sift through for useful information, thus slowing down their ability to take additional malicious action.
Spear phishing, on the other hand, offers attackers the ability to focus more on specific targets and information. A successful spear phishing attack provides immediate access to a target’s systems. Given the amount of readily available information on organizations and their employees on the Internet, attackers can easily identify targets and craft seemingly genuine emails that will provide gateways to specific systems and ultimately data. Spear phishing can exploit zero-days to drop malware on a host, but it doesn’t rely on vulnerabilities. Simple social engineering tactics have allowed groups such as the Syrian Electronic Army to carry out a multitude of high-profile attacks.
“Spear phishing offers attackers the ability to focus more on specific targets and information.”
Anecdotal evidence continues to highlight spear phishing as the source of most high-profile breaches. As previously mentioned, spear phishing is the attack method of choice for the Syrian Electronic Army. Brian Krebs also reported that the Target breach started with a spear phishing email that unloaded malware and stole login credentials from Target vendor Fazio Mechanical.
The fact that news reports around watering hole attacks are stating “watering-hole usage” rather than “company x compromised by watering hole attack” indicates that either companies aren’t discussing successful campaigns, or that the attackers are still refining their tactics. Even if they are successful, the attackers may be inundated with information and are still deciding whether they have found anything useful.
There’s no denying that watering-hole attacks are making an impact, but the idea that it is replacing spear phishing is erroneous. While Symantec’s 2014 Internet Security Threat Report notes a decrease in the overall volume of spear phishing emails, the number of campaigns increased by 91%. Adversaries aren’t turning away from spear phishing as an attack method; instead they are sharpening the focus of their attacks. Symantec attributes this to growing user awareness (we’d like to take some credit for that), but it is probably also due to the dynamics discussed above.
For casting a wider net intended to compromise a large number of users, watering-hole attacks are an effective tactic, but for a highly focused attack seeking specific information, a well-crafted spear phish is still an adversary’s best weapon.