On August 28, 2014, AlienVault published a report in which they detailed the structural specifics of an evolution in watering hole attacks. The main difference detected was a lack of malware, now replaced by a malicious JavaScript file executed from a remote server and injected into a website. Dubbed “Scanbox,” the perpetrators of such attacks begin their activity by configuring a command and control server in order to collect the following information: referrer, user-agent, location, cookie, title, domain, charset, screen width and height, operating system, and language. Then, after encoding and encrypting this data, Scanbox issues a request that results in multiple plugins. Eventually, one particular plugin executes a key logger that consequently records each and every keystroke carried out by a victim on a hacked website before sending this information back to the command and control server.

More recently, on October 27, 2014, PWC published a follow-up report describing their efforts at tracking examples of this new framework across the Internet. In turn, they discovered attacks aimed at various groups including “the Uyghur population in China, United States think tanks, the Japanese Industrial sector, and Korean hospitality.” This diverse group of targets initially indicated that a sole actor didn’t perpetrate every attack, but in order to substantiate such a claim PWC analyzed each attack and fond noticeable differences in implementation and subtle differences in code. By the end of their study, however, PWC concluded that one group could be responsible if they were adapting their code and avoiding “any overlap in infrastructure or in services used.” Although, PWC also notes it’s possible that multiple groups have been sharing resources or unrelated actors have acquired the framework from public watering holes.

Scroll to Top