Reconnaissance code on industrial software site points to watering hole attack

Attackers are using a sophisticated Web-based tool to gather information on potential targets, researchers from AlienVault said

Attackers have rigged the website of an industrial software firm with a sophisticated reconnaissance tool, possibly in preparation for attacks against companies from several industries.

The incident was detected last week by researchers from security firm AlienVault who found rogue code injected into the website of a big industrial company that wasn't named. "The website is related to software used for simulation and system engineering in a wide range of industries, including automotive, aerospace, and manufacturing," said Jaime Blasco, director of the AlienVault Labs in a blog post.

Unlike most watering hole attacks where hackers inject malware-carrying exploits into websites visited by their intended targets, the purpose of this attack was only to gain detailed information about visiting computers.

The rogue code injected into the compromised site loaded a JavaScript file from a remote server that was actually a reconnaissance framework dubbed Scanbox, Blasco said. In addition to collecting basic information like the browser type, computer IP (Internet Protocol) address, operating system and language, this tool uses advanced techniques to detect which security programs are installed on the visitor's system, he said.

According to the AlienVault analysis, Scanbox also tests if the computer uses Microsoft's Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool and enumerates the locally installed versions of Adobe Flash, Microsoft Office, Acrobat Reader and Java -- programs that are frequently targeted with Web-based exploits to install malware.

Some of the techniques used by Scanbox have been observed by the AlienVault researchers in other watering hole campaigns this year.

In this recent attack, the framework also deployed a JavaScript-based keylogger on the compromised site that recorded all keystrokes typed visitors, including passwords and other sensitive data entered into Web forms, Blasco said. "This is a very powerful framework that gives attackers a lot of insight into the potential targets that will help them launching future attacks against them."

Attacks might already be happening, as the AlienVault researchers found evidence that the server hosting the Scanbox framework was also used to serve Java exploits. Their blog post contains domain names and IP addresses that companies should search for in their traffic logs to determine if they've been targeted.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags AlienVaultsecurityDesktop securityspywaremalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?