Sergey Nivens - Fotolia
Chinese hackers are by-passing web privacy tools, say researchers
A new Chinese watering hole attack is exposing the details of visitors to certain websites even if they are using Tor browsers or VPNs, researchers have found
The attackers compromise websites used by the groups and include malicious content that is executed when users access the affected websites.
The researchers found that Chinese hackers are exploiting vulnerabilities in China’s most-visited websites to target individuals accessing web content state censors consider hostile.
Even users deploying popular web privacy tools, such as TOR browsers or virtual private network (VPN) connections, to bypass government surveillance are vulnerable to this latest watering hole attack.
The attack uses a novel technique AlienVault researchers said they have not seen before with watering hole attacks.
First, the attackers compromise several Chinese-language websites associated with NGOs, Uyghur communities and Islamic associations.
Using JSONP requests, the attackers are able to bypass cross-domain policies and collect a user’s private information if the user is logged in to one of the affected services.
Read more about watering hole attacks
- Spear phishing remains popular in targeted attacks, but watering hole attacks are gaining favour.
- Expert Nick Lewis analyses techniques employed by watering hole attacks and discusses how to use a secure VM to defend enterprises against them.
According to Jaime Blasco, vice-president and chief scientist at AlienVault, the JSONP vulnerability was first publicised in 2013, but the affected sites did not patch the problem, making these most recent attacks possible.
He said this campaign has been targeting a very small group of people, and since there is no financial gain from collecting most of the leaked personal data, the attackers appear to be looking to reveal the identity of users visiting certain websites.
Blasco said affected sites should fix the JSONP hijacking vulnerabilities by including a random value in all the JSONP requests, not using cookies to customise JSONP responses, not including user data in JSONP responses, or using cross-origin resource sharing (Cors) instead of JSONP.
He also recommends users to be vigilant and follow best practices when browsing the web, especially if they are worried about being tracked.
“For example, do not browse sensitive websites after logging into another website – even in a different tab or window. It is really important to understand the differences between anonymity and privacy. For instance, if you are using TOR or a VPN service that encrypts your communications, it is going to give you a certain level of privacy, but your anonymity is still at risk,” he wrote in a blog post .
Blasco said anonymity is being “non-identifiable” or un-trackable, but it is difficult to remain anonymous when using services where personal information has been revealed and then browsing other sites that can exploit vulnerabilities to access that personal information.
Read more on Privacy and data protection