If your clients think they are too small to come under malware attack, think again. With malicious cross-site scripting, those under-protected businesses become the lure to bigger fish.
By Ellen Muraskin
September 05, 2013
Small businesses often make the mistake of under-protecting their websites from malware, assuming that on the grand scale of industrial espionage, they’re too unimportant to rate hackers’ time. That laxity is precisely what makes their sites prime targets for “watering hole attacks.” Hackers aren’t planting malware there to dig out the SMB’s own paltry trade secrets, however. They’re after bigger game in that site’s visitors: people from large, otherwise impregnable organizations who might be the SMB’s customers, lawyers, or suppliers.
Some fairly simple cross-site scripting allows that site to infect the desktops of these unsuspecting visitors, giving hackers network access to information, or the potential to do harm, on higher-profile targets. When discovered, this can wreak havoc on the SMB’s reputation and Google rankings; the site can even become blacklisted by search engines and known-threat databases.
In 2011, Nasdaq’s Directors Desk—a document-sharing utility written for the board of directors of Nasdaq’s partner firms—became a watering hole that spied on corporate executives. Richard Stiennon, chief research analyst at IT-Harvest, a security analyst firm, says, “It happens everywhere. Nasdaq did their risk analysis for their trading platform [which was not compromised]. Then some other team, say marketing, says, ‘Let’s build this tool to help promote Nasdaq.’ They go off and build this website without Nasdaq’s IT security guys’ oversight.” The target here was not the trading platform, but the high-net-worth individuals who sit on partner firms’ boards of directors.
HUNTING THE BIG GAME
Watering hole attacks can also take the form of “spear phishing.” Here, attackers harpoon targeted individuals—for example, law firm partners or engineers—with personalized emails that suggest a useful link. The link turns out to be the spear phisherman’s convincing counterfeit site, from which he reels in the entered passwords and user IDs.
To determine if their clients’ sites are vulnerable to watering hole attacks, channel pros should refer them to scan services; Stiennon says there are 130 different vendors in this space and names two: Qualys and the smaller, Beyond Security. Also, install a Web application firewall to prevent malicious code from being injected in the first place. Imperva is an example here.
And to prevent clients’ employees from unwittingly visiting these poisoned wells, Stiennon advises using URL filtering to wall off sites that are known to be infected, or whole categories or countries of sites your employees don’t need to see. In addition, secure Web gateways, which block executables in incoming traffic. These, along with anti-virus gateways, are typical features of a unified threat management (UTM) solution, such as those sold by Dell SonicWall, Fortinet, WatchGuard, and Palo Alto Networks.
Ron Culler, CTO of Greensboro, N.C.-based Secure Designs Inc., an Internet security MSP, notes that many if not most channel pros’ clients run their websites on hosted platforms. Here, the task is to educate and perform due diligence: Make sure they (or you, in their service) ask the right questions of these hosts and site designers.
“Do you have Web application firewalls? What do you do when new threats are detected? How fast do you patch systems? Does your site share a server with other sites? And, who’s watching?” Just like a home security service, if an alarm is tripped but nobody does anything about it, it doesn’t do you any good, he says.