The technique of hijacking a website to infect its visitors with malware is increasingly popular among cyber spies backed by China, according to UK security consultancy Context.
"The 'watering hole' or 'drive-by download' technique is fairly common in the crime world, but two years ago we didn't see many – if any – state-backed hackers using it," Context researcher Nick Maztielli told Information Age this morning. "But we're now seeing more targeted, APT-style attacks using that particular vector."
The style of attack allows hackers to target companies in a given sector. One recent high profile example is that of market research firm IHS, which owns defence industry publisher Jane's, whose website was compromised earlier this year.
- See also: How to hack a bank
When a visitor went to the site, a Trojan called PlugX – which allows hackers to access infected computers remotely – was automatically downloaded onto their PC.
Context spotted the breach after detecting an uptick in PlugX infections among its clients, including one FTSE 250 company, and finding that all of them had recently visited the site.
"PlugX turned up at a number of other clients, and when we looked in to how that compromise occurred, we saw the same sequence of events that preceded the infection," says Maztielli.
It is not known exactly how the attackers compromised the IHS website, although common techniques include exploiting insecure web application code and finding web servers with default security credentials.
However, a few months before the site was infected with PlugX, IHS.com was hacked by an apparently anti-Israeli hacking group, called Parastoo, who published information about its security defences online. It is presumed that the state-backed actor behind the PlugX infection used this information to plan their attack.
"This is an example of how attackers can get hold of information about a compromised website," Maztielli says.
Another example of "watering hole" attack occurred in February, when a website for iPhone developers was infected with a Java-based Trojan. This attack successfully injected companies including Apple, Facebook and Microsoft.
According to a report at the time by Reuters, this attack was linked to cyber criminal gangs in Eastern Europe.
To protect their websites from being hijacked, organisations need to make sure their web servers are properly patched and that other website security measures are in place.
To protect themselves from infection by a hijacked website, they must adopt the appropriate defences against targeted attacks, such as monitoring Internet connections for evidence of suspicious activity, patching software whenever possible, and "minimising the attack surface" by removing unnecessary software from employee devices.
"The PlugX Trojan uses Java to compromise the machine," explains Maztielli. "If you don't need to be using Java, then switch it off."