But even this trick isn't new. Decades ago, one of Unix's original creators gave away a backdoor-encoded log-on screen, which thousands downloaded and used. Thus, he made the point -- at a huge public conference, no less -- that you can't trust code you don't write yourself. Decades later, we still haven't learned the lesson.
The difference is that these sorts of attacks used to be fairly rare. Now I'm hearing about and see them pop up weekly. Perhaps it's just one sophisticated APT (advanced persistent threat) group using them, but success breeds followers. You can bet that all the world's full-time cyber criminals are paying attention.
How to defend against waterholes
Waterhole exploits can crop up on popular websites or even on poisoned Wi-Fi hotspots located near your company. How do you defend against a threat that isn't inside your network, whose assets you can't control?
Start by making your users -- especially those with access to critical infrastructure and data -- aware of waterhole attacks. They are the prime targets. Just as we had to make people aware that their favorite website might serve up fake antivirus software, so too must we now warn them about waterhole attacks.
Education is a start, but we need effective detection and prevention controls, too. Start by monitoring the top 100 websites favored by the employees responsible for your critical infrastructure. Some might see this as a privacy invasion, but you don't need to tie the websites to particular employees.
Inspect those websites for malicious coding on an ongoing basis. If your monitoring system detects maliciousness, block the traffic (and possibly warn the user). If the website continues to host malicious links, block the site. If the site is needed and desired by employees, contact the website's admins and let them know they have a malware problem.
We all have our favorite watering holes. Unfortunately, it's up to us to be the bouncer if the owner isn't handling the job.
This story, "Watch out for waterhole attacks -- hackers' latest stealth weapon," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.