Most hacks start with a victim who makes some mistake, whether it’s entering a password on a scam site or Accidentally downloading malicious attachments on the work computer. But one particularly sinister technique begins with simply visiting a real website. These are known as geyser attacks, and in addition to being a lasting threat, they’ve been behind a number of recent well-known incidents.
The most infamous watering hole attack in memory recently came to light in 2019, after targeting iPhone users in China’s Uyghur Muslim community in two years. But threat intelligence researchers stress that the technique is quite popular, possibly because it’s so powerful and effective. Internet security firm ESET says it detects multiple watering hole attacks each year, and the same Google Threat Analysis Group (TAG) detects multiple attacks per month.
The name comes from the idea of poisoning a central source of water, then infecting anyone who drinks from that source. Relatedly, it also conjures up a predator lurking near a watering hole waiting for prey to drop by. Watering hole attacks can be difficult to detect as they often work so quietly on legitimate websites that the owner may not notice anything wrong. And even when discovered, it’s often unclear exactly how long an attack has been going on and how many victims there are.
“Suppose the attackers were hunting pro-democracy activists. Google’s TAG director Shane Huntley said they can hack a democracy activist’s website knowing that all these potential targets will visit. That important step of the target has to do something or be fooled. Instead of targeting activists with something they actually have to click on, which can be hard because they’re so hard, you can go somewhere they’ve been and skip immediately to the section. that you’re actually exploiting people’s devices. “
For example, earlier this month, TAG published the findings of a waterhole attack that hacked several pro-democracy political groups’ media and websites to targeting visitors using Macs and iPhones in Hong Kong. Based on the evidence gathered, TAG was unable to determine for certain how long the attacks had been going on or how many devices were affected.
Waterhole attacks always have two types of victims: a legitimate website or service that an attacker infiltrates to embed their malicious infrastructure, and the user is then compromised when they visit. Attackers are increasingly skilled at reducing their footprints, using the compromised website or service as just a conduit between the victim and the malicious external infrastructure, without any visible signs. make it clear to the user that anything is amiss. That way attackers don’t have to build everything within the compromised site itself. Convenient for hackers, this makes attacks easier to set up and harder to track.
To turn visiting a website into a real attack, attackers need to be able to exploit software flaws on the victim’s device, usually a string of vulnerabilities starting with a browser error. This gives attackers the access they need to install spyware or other malware. If hackers really want to create a widespread network, they will set up their infrastructure to exploit as many types of devices and software versions as possible. However, the researchers point out that while the vulnerability attacks appear indiscriminate, hackers are able to more precisely target victims by device type or by using smart browsers. other information collected, such as which country their IP address comes from.
