New phishing tactic: Infect sites and wait for catch
The purveyors of phishing attacks are finding that they can net many more prey by turning websites into so-called "watering holes" rather than first sending malicious emails directly to their targets, according to new research from security firm Websense.Researchers believe these watering hole tactics demonstrate an evolution of phishing attacks -- and a sign of more targeted threats to come.
The findings, released Tuesday, note a troubling emergence of targeted website compromises. Phishers bank on their targets visiting these sites so they can install malware on victim's machines, capable of ripping off personal information.
Chris Astacio, manager of security research at Websense, told SCMagazine.com on Tuesday that the individuals behind watering hole attacks may be nation-states, considering they have gone after government and other high-level websites in the past.
“It could be nation-states given the fact that [those sites have] been injected," Astacio said. "Or it could just be someone who is interested in gathering information on their victims. They may be looking to exfiltrate information to sell on the underground market. It all depends on the type of website being targeted.”
In September, Symantec researchers reported that watering-hole tactics were used to infect top-tier U.S. defense contractors' computers with malware. The attackers exploited supply chain vulnerabilities to steal information from contractors and other organizations, and were linked with the 2010 Aurora attacks on Google.
In May, researchers discovered foreign policy and human rights websites had been injected with malicious code.
According to a blog post written by Patrik Runald, director of the Websense Security Labs, researchers concluded that these targeted website compromises allow fraudsters to also set the stage for traditional spear phishing attempts.
“Attacks of this nature may be a way for nation-states to garner additional information from a select audience without having to know [in the first place] the contact information...[of a] target,” Runald wrote. “This could be considered reconnaissance leading to more specific targeting and a more traditional spear phish attempt.”
And despite the rise in watering hole techniques, email-based phishing still is plentiful, according to Websense. Research found that the United States hosted the most URLs used in phishing scams. Canada followed, with the Bahamas coming in third. The United States topped the list due to more servers and computing resources being available, Astacio said.
Websense researchers also found that the most phishing emails were sent to victims on Friday, Monday and Sunday, respectively, when victims aren't on as high of guard.
Attackers sometimes send phishing emails late at night or over the weekend with URLs that appear “safe.” Then they infect web pages right before victims access their email to evade detection by anti-virus programs or spam filters.
The findings also showed that the majority of email subject lines in phishing emails -- four out of five -- called on their victims to take immediate action.
Vendors said end-user awareness training, combined with advanced technology, can be used to stave off attacks.