A phishing attacks, as you may know, “use social engineering techniques mixed with technical tricks to fool the [ Internet computer ] user and steal sensitive information and banking account credentials. Social engineering schemes are typically based on spoofed emails to lead users to visit infected websites designed to appear as legitimate ones. The websites are designed to lead customers to divulge financial data, such as account usernames, credit card numbers, passwords, and social security numbers.” There are different types, or variations, of phishing.
Spear phishing attacks are targeted at selected groups, organizations, or companies. “Usually it is an email-spoofing fraud attempt that hits a specific organization or company, seeking unauthorized access to sensitive data. Unlike a generic phishing attack, the spear phishing attack doesn’t address a wide audience and is conducted by attackers that are more interested to intellectual property, trade secrets, or military information instead of financial gain.”
Watering hole attacks are a relatively new variant of phishing and are different from other phishing attacks in that instead of using social engineering and emails to fool users into clicking on a link to a malicious site; the cybercriminal chooses a very popular website to infect with the malware package and infects every user’s computer that visits that site. It’s akin to the lion waiting quietly at the watering hole until an unsuspecting animal arrives to get some water…I think you know what happens next.
Watering hole attacks aren’t a new concept by any means; porn sites have been thus infected for years; injecting the eager visitors’ computers with a malware gift for their trouble. However, the use of watering hole attacks has spread to other legitimate high-traffic sites as well. The watering hole approach is an improvement on the social engineering type phishing attack because not all users of the social engineering attack will click on the link, while 100% who visit a high-traffic website will be infected. Hey, I never said these cyber crooks were dumb…far from it.
For more on phishing see Phishing: A Very Dangerous Cyber Threat