Open blackfist opened 11 years ago
Apparently the URL is http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/
How would this be coded? Do we attempt to code the sites hosting the malware as compromised assets?
Seems like the owners of the compromised sites serving up malware are victims of separate incidents. Also, organizations that are infected when visiting those sites are victims (separate incidents). This is a good example where linking all these incidents under a common campaign identifier is very useful.
Beginning in early May, Cisco TRAC has observed a number of malicious redirects that appear to be part of a watering-hole style attack targeting the Energy & Oil sector. The structure consists of several compromised domains, of which some play the role of redirector and others the role of malware host.