Think Information. Think Security.
The purveyors of phishing attacks are finding that they can net many more prey by turning websites into so-called "watering holes" rather than first sending malicious emails directly to their targets, according to new research from security firm Websense. Researchers believe these watering hole tactics demonstrate an evolution of phishing attacks -- and a sign of more targeted threats to come. The findings, released Tuesday, note a troubling emergence of targeted website compromises. Phishers bank on their targets visiting these sites so they can install malware on victim's machines, capable of ripping off personal information.

In September, Symantec researchers reported that watering-hole tactics were used to infect top-tier U.S. defense contractors' computers with malware. The attackers exploited supply chain vulnerabilities to steal information from contractors and other organizations, and were linked with the 2010 Aurora attacks on Google.

In May, researchers discovered foreign policy and human rights websites had been injected with malicious code. According to a blog post written by Patrik Runald, director of the Websense Security Labs, researchers concluded that these targeted website compromises allow fraudsters to also set the stage for traditional spear phishing attempts.
And despite the rise in watering hole techniques, email-based phishing still is plentiful, according to Websense. Research found that the United States hosted the most URLs used in phishing scams. Canada followed, with the Bahamas coming in third. The United States topped the list due to more servers and computing resources being available, Astacio said. Websense researchers also found that the most phishing emails were sent to victims on Friday, Monday and Sunday, respectively, when victims aren't on as high of guard.

Attackers sometimes send phishing emails late at night or over the weekend with URLs that appear “safe.” Then they infect web pages right before victims access their email to evade detection by anti-virus programs or spam filters. The findings also showed that the majority of email subject lines in phishing emails -- four out of five -- called on their victims to take immediate action. Vendors said end-user awareness training, combined with advanced technology, can be used to stave off attacks.

Cross-posted from: SC Magazine

Leave a Reply.