Catching predators at watering holes: finding and understanding strategically compromised websites

Unlike a random, run-of-the-mill website infection, in a strategic web attack, the adversary carefully chooses the target frequently visited by an organization or a group of individuals to compromise, for the purpose of gaining a step closer to the organization or collecting information from the group. This type of attacks, called "watering hole", have been increasingly utilized by APT actors to get into the internal networks of big companies and government agencies or monitor politically oriented groups. With its importance, little has been done so far to understand how the attack works, not to mention any concrete step to counter this threat. In this paper, we report our first step toward better understanding this emerging threat, through systematically discovering and analyzing new watering hole instances and attack campaigns. This was made possible by a carefully designed methodology, which repeatedly monitors a large number potential watering hole targets to detect unusual changes that could be indicative of strategic compromises. Running this system on the HTTP traffic generated from visits to 61K websites for over 5 years, we are able to discover and confirm 17 watering holes and 6 campaigns never reported before. Given so far there are merely 29 watering holes reported by blogs and technical reports, the findings we made contribute to the research on this attack vector, by adding 59% more attack instances and information about how they work to the public knowledge. Analyzing the new watering holes allows us to gain deeper understanding of these attacks, such as repeated compromises of political websites, their long lifetimes, unique evasion strategy (leveraging other compromised sites to serve attack payloads) and new exploit techniques (no malware delivery, web only information gathering). Also, our study brings to light interesting new observations, including the discovery of a recent JSONP attack on an NGO website that has been widely reported and apparently forced the attack to stop.

[1]  Vern Paxson,et al.  When Governments Hack Opponents: A Look at Actors and Technology , 2014, USENIX Security Symposium.

[2]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[3]  Martín Abadi,et al.  deSEO: Combating Search-Result Poisoning , 2011, USENIX Security Symposium.

[4]  Charu C. Aggarwal,et al.  Outlier Analysis , 2013, Springer New York.

[5]  Aurélien Francillon,et al.  The role of web hosting providers in detecting compromised websites , 2013, WWW '13.

[6]  Tyler Moore,et al.  Identifying Risk Factors for Webserver Compromise , 2014, Financial Cryptography.

[7]  Paolo Milani Comparetti,et al.  EvilSeed: A Guided Approach to Finding Malicious Web Pages , 2012, 2012 IEEE Symposium on Security and Privacy.

[8]  Josef Kittler,et al.  Financial Cryptography and Data Security , 2012, Lecture Notes in Computer Science.

[9]  Leyla Bilge,et al.  Industrial Espionage and Targeted Attacks: Understanding the Characteristics of an Escalating Threat , 2012, RAID.

[10]  Christopher Krügel,et al.  Delta: automatic identification of unknown web-based infection campaigns , 2013, CCS.

[11]  Giovanni Vigna,et al.  Prophiler: a fast filter for the large-scale detection of malicious web pages , 2011, WWW.

[12]  Adam Senft,et al.  Targeted Threat Index: Characterizing and Quantifying Politically-Motivated Targeted Malware , 2014, USENIX Security Symposium.

[13]  Christos Faloutsos,et al.  LOCI: fast outlier detection using the local correlation integral , 2003, Proceedings 19th International Conference on Data Engineering (Cat. No.03CH37405).

[14]  Zhou Li,et al.  Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections , 2014, 2014 IEEE Symposium on Security and Privacy.

[15]  Engin Kirda,et al.  A Look at Targeted Attacks Through the Lense of an NGO , 2014, USENIX Security Symposium.

[16]  Tyler Moore,et al.  Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing , 2009, Financial Cryptography.

[17]  Tyler Moore,et al.  Measuring and Analyzing Search-Redirection Attacks in the Illicit Online Prescription Drug Trade , 2011, USENIX Security Symposium.

[18]  Hans-Peter Kriegel,et al.  LOF: identifying density-based local outliers , 2000, SIGMOD '00.

[19]  Davide Balzarotti,et al.  Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web , 2013, NDSS.

[20]  Anthony Lai,et al.  Evidence of Advanced Persistent Threat: A case study of malware for political espionage , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[21]  Fang Yu,et al.  Finding the Linchpins of the Dark Web: a Study on Topologically Dedicated Hosts on Malicious Web Infrastructures , 2013, 2013 IEEE Symposium on Security and Privacy.