Open blackfist opened 11 years ago
jayjacobs
commented
11 years ago Apparently the URL is http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/
How would this be coded? Do we attempt to code the sites hosting the malware as compromised assets?
whbaker
commented
11 years ago Seems like the owners of the compromised sites serving up malware are victims of separate incidents. Also, organizations that are infected when visiting those sites are victims (separate incidents). This is a good example where linking all these incidents under a common campaign identifier is very useful.
Beginning in early May, Cisco TRAC has observed a number of malicious redirects that appear to be part of a watering-hole style attack targeting the Energy & Oil sector. The structure consists of several compromised domains, of which some play the role of redirector and others the role of malware host.