{"id":96681,"date":"2019-09-10T12:27:32","date_gmt":"2019-09-10T19:27:32","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=96681"},"modified":"2025-06-02T01:04:24","modified_gmt":"2025-06-02T08:04:24","slug":"how-visiting-a-trusted-site-could-infect-your-employees","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-visiting-a-trusted-site-could-infect-your-employees\/","title":{"rendered":"How Visiting a Trusted Site Could Infect Your Employees"},"content":{"rendered":"

The Artful and Dangerous Dynamics of Watering Hole Attacks<\/h2>\n

A group of researchers recently published findings of an\u00a0exploitation of multiple iPhone vulnerabilities<\/a>\u00a0using websites to infect final targets. The key concept behind this type of attack is the use of trusted websites as an intermediate platform to attack others, and it\u2019s defined as a watering hole attack.<\/p>\n

How Does it Work?<\/h2>\n

Your organization is an impenetrable fortress that has implemented every single cybersecurity measure. Bad actors are having a hard time trying to compromise your systems. But what if the weakest link is not your organization, but a third-party? That is where an \u201cisland hopping\u201d<\/em> attack can take apart your fortress.<\/p>\n

\u00a0\u201cIsland hopping\u201d was a military strategy aimed to concentrate efforts on strategically positioned (and weaker) islands to gain access to a final main land target.<\/em><\/strong><\/p>\n

One relevant instance of \u201cisland hopping\u201d is a watering hole attack. A watering hole attack is motivated by an attackers\u2019 frustration. If they cannot get to a target, maybe they can compromise a weaker secondary one to gain access to the intended one? Employees in an organization interact with third-party websites and services all the time. It could be with a provider, an entity in the supply chain, or even with a publicly available website. Even though your organization may have cutting edge security perimeter protection, the third parties you interact with may not.<\/p>\n

In this type of attack, bad actors start profiling employees to find out what websites\/services they usually consume. What is the most frequented news blog? Which flight company do they prefer? Which service provider do they use to check pay stubs? What type of industry is the target organization in and what are the professional interests of its employees, etc.?<\/p>\n

Based on this profiling, they analyze which one of the many websites visited by employees is weak and vulnerable. When they find one, the next step is compromising this third-party website by injecting malicious code, hosting malware, infecting existing\/trusted downloads, or redirecting the employee to a phishing site to steal credentials. Once the site has been compromised, they will wait for an employee of the target organization to visit the site and get infected, sometimes pushed by an incentive such as a phishing email sent to the employees. Sometimes this requires some sort of interaction, such as the employee using a file upload form, downloading a previously trusted PDF report or attempting to login on a phishing site after a redirection from the legitimate one. Finally, bad actors will move laterally from the infected employee device to the desired final target(s).<\/p>\n

\"\"<\/p>\n

Figure 1: Watering Hole Attack Dynamics<\/em><\/p>\n

Victims of a watering hole attack are not only the final targets but also strategic organizations that are involved during the attack chain. As an example, a watering hole attack was discovered in March 2019, targeting member states of the United Nations by compromising the International Civil Aviation Organization (ICAO) as intermediate target[1]<\/a>. Because the ICAO was a website frequented by the intended targets, it got compromised by exploiting vulnerable servers. Another example from last year is a group of more than 20 news and media websites that got compromised as intermediate targets to get to specific targets in Vietnam and Cambodia[2]<\/a>.<\/p>\n

Risk analysis<\/h2>\n

Because this kind of attack relies on vulnerable but trusted third-party sites, it usually goes unnoticed and is not easily linked to further data breaches. To make sure this potential threat is being considered in your risk analysis, here are some of the questions you need to ask:<\/p>\n