AlienVault Reports – JSONP watering hole exploits used in China to track a small group of users
Eddie Lee and Jaime Blasco of AlienVault report the discovery of watering hole attacks have been used on non-governmental organization (NGO), Uyghur, and Islamic websites since October 2013, possibly earlier. Just days ago, a PhD student at Indiana University reported through RSA Labs that a watering hole attack was found on the Chinese local website of an international NGO.
What is a watering hole attack? Jaime Blasco explains that the term ‘watering hole’ is used when attackers target a specific group be it a collective of people, companies, industries, or even ethnicities. The attacks compromise websites that are regularly used by the targeted group with malicious script that compromise the visitors of that website.
As an example, say attackers target a group of stock traders, they will target a market website service they all utilize by compromising that one website, so that when the group of traders visit and try to login, the compromised website runs the malicious content without the visitor being any wiser.
The exploit can grant access to the victim’s computer or device by using JavaScript or iframe techniques to exploit vulnerabilities in IE, Java and Flash. Other reports found similar techniques used to extract software info from the host computers or worse JavaScript keyloggers silently stealing personal credential logins.
The latest attacks use JavaScript JSONP Hijacking on more than 15 major Chinese websites and portals. JSONP requests allow attackers to gain access to user information if they log into to one of the services. The exploit is capable of bypassing cross-domain policies and sending the private data back to the attacker. According to the report, the targeted websites are all Uyghur, Islamic or freedom of speech friendly NGO sites. Some of the websites are reported to be hosted outside of China, and most likely already blocked the Great Firewall of China.
A full data table off the official report on AlienVault shows the known affected websites and exactly what private information can be stolen on each one. Alexa ranks show how popular some of the websites are in China. More information can be found on the report regarding the malicious code itself, and detailed information on JSONP cross-domain requests and the present loopholes. Although it seems that a very small group of individuals are being targeted, and that the attackers only seem to what to identify the users, the exploit can be used on other vulnerable websites that have not yet fixed the JSONP problem.
Why is this concerning?
As you may already know, China’s Great Firewall scans all traffic going out of the country, allowing them to block and censor requests for any international websites and services of their choice. Users have been able to circumvent the blocks by using Tor and VPN services in China. By using a VPN, the Great Firewall no longer has visibility on the actual web data packets, and are unable to know which websites are being requested, negating their ability to block them.
The problem for these users, is that if they happen to use and login to one of these watering hole attacked websites and services, some of their personal data can still be leaked, allowing them to be identified. It has become a priority for all the affected websites to patch the JSONP vulnerability as soon as possible, and until they do, using them should be completely avoided in China.
Some recommendations by AlienVault for users that are often looked over when browsing the internet, the main suggestion being;
- Do not visit sensitive data type websites/services after logging into another not so concerning website, even if on a different window or browser tab. Make sure to log out of all services and websites before you login to a sensitive account for which you would be concerned about leaking any private information.
Using a VPN and Tor in China is very effective to encrypt your data and privatize it, but it does not make you completely anonymous if you’re logging into identifiable accounts. Remember the difference and understand that vigilance is required when using online services. If you need a good VPN, check out our articles on the best VPNs for use in China.