Catching Predators at Watering Holes: Finding and Understanding Strategically Compromised Websites


Unlike a random, run-of-the-mill website infection, in a strategic web attack, the adversary carefully chooses the target frequently visited by an organization or a group of individuals to compro- mise, for the purpose of gaining a step closer to the organization or collecting information from the group. This type of attacks, called “watering hole”, have been increasingly utilized by APT ac- tors to get into the internal networks of big companies and gov- ernment agencies or monitor politically oriented groups. With its importance, little has been done so far to understand how the attack works, not to mention any concrete step to counter this threat. In this paper, we report our first step toward better understand- ing this emerging threat, through systematically discovering and analyzing new watering hole instances and attack campaigns. This was made possible by a carefully designed methodology, which re- peatedly monitors a large number potential watering hole targets to detect unusual changes that could be indicative of strategic com- promises. Running this system on the HTTP traffic generated from visits to 61K websites for over 5 years, we are able to discover and confirm 17 watering holes and 6 campaigns never reported before. Given so far there are merely 29 watering holes reported by blogs and technical reports, the findings we made contribute to the re- search on this attack vector, by adding 59% more attack instances and information about how they work to the public knowledge. Analyzing the new watering holes allows us to gain deeper un- derstanding of these attacks, such as repeated compromises of po- litical websites, their long lifetimes, unique evasion strategy (lever- aging other compromised sites to serve attack payloads) and new exploit techniques (no malware delivery, web only information gath- ering). Also, our study brings to light interesting new observations, including the discovery of a recent JSONP attack on an NGO web- site that has been widely reported and apparently forced the attack to stop.

The 32nd Annual Computer Security Applications Conference (ACSAC)