Ambushed at The Watering Hole

There’s an old joke about a student taking a test, and one of the questions is, “How do you find a hypotenuse?” After much thought, he wrote, “Look for tracks around the water hole.” (Obviously not a straight-A student…)

If you’re hunting some sort of game, it makes sense to go somewhere that the game hangs out, like the water hole or the salt lick. The digital bad guys consider you their game, and they might attempt to ambush you at the digital equivalent of a water hole.

An exploit that compromises a legitimate site is sometimes referred to as a watering-hole attack — the malicious code is planted in a part of the site that will likely get clicks.

For example, let’s say — purely hypothetically — that amazon.com was hacked. When I click a link to get more information about new DVD releases, a message pops up, stating: “Amazon needs your permission to install an app in order to improve your browsing experience.” When I click OK, the malicious code grants itself a trusted certificate (though typically not correctly signed by a trusted authority) and installs itself on my computer. The code never again has to ask my permission to run. Once you’ve granted it access, it’s in your system and can do anything it wants to.

This can be a targeted attack, aimed at a particular group of people that visit, say, a specific corporate site. This is yet another reason not to click on things that pop up, even if they are (apparently) coming from a legitimate site.

Sites that allow third-party advertising (most do) are another watering-hole danger. The main site doesn’t need to be hacked if someone can insert a malicious advertising link. I’ve seen this a lot on some news sites, for example (not malicious, just misleading). You’re reading the news of the day, and a sidebar has something that says something like “This woman was screwed by a big-box store – You’ll never guess what happened next!” or, “This one weird secret can help you lose 20 pounds!” The term for this kind of c**p is clickbait. It’s tailored to arouse your interest and “bait” you into clicking on it… whereupon you are assaulted by an advertisement, or something worse. Don’t take the bait.

 

For even more empowering technology info, read my new book, “Deciphering the 21st Century,” Available now!

Click here to read all about it.

Follow me on Twitter:

I’d love to hear your comments!

Advertisements