So here's an early warning: Waterholes should be on your radar.
[ Brace yourself for IT's 9 biggest security threats. | Find out how to block the viruses, worms, and other malware that threaten your business. | Learn how to protect your systems with InfoWorld's Security Central newsletter. ]
In waterhole attacks, the bad guys poison a website frequented by you and/or your company with the express goal of compromising your environment. Either the hacker maliciously modifies the website code itself so that malware is sprung on the user or some desired object on the website is poisoned. For example, hackers may maliciously modify a trusted applet, and when downloaded by visitors, it opens a backdoor or installs other malware.
It's like targeted spear phishing, only without the email.
Waterholes have already compromised high-profile companies, including Twitter, Microsoft, Facebook, and Apple. These sorts of attacks are a tailored to the victim, down to the computer platform. Assuming you're safe because your computer platform isn't attacked as commonly as others will just lull you into a false sense of security.
Waterhole attacks actually started years ago. My favorite real-life example: Hackers uploaded a few dozen admin tools to popular open source websites, which were downloaded and used by hundreds of thousands of website administrators. One of the most popular tools was a website admin console; another was a Web page visitor counter. Both contained a simple URL that loaded a small logo along with the applet. The author's open source contract said that anyone could use and modify the applet as needed, as long as the URL was left intact in original form without modification. Harmless enough -- or so everyone thought and so it seemed for many months.