‘Watering hole’ hack: scammers using online menus to steal company information from hungry workers

Thinking about what to have for lunch? Here's why you should think twice before downloading a restaurant menu at work.

Criminals are targeting workers using restaurant menus in order to harvest information about the business they work for.

In the latest cyber scam, known as the ‘watering hole’ hack, criminals plant viruses on popular restaurant websites that are located near the office of the business they want to target.

When the time comes for hungry workers to browse the menu, the virus is downloaded to their computer which allows the criminals to access information on the machine.

“Sometimes, especially near organisations that are targeted, let’s say there is a major corporate office near this restaurant, they may infect the restaurant and when you download the PDF version of the menu it is infected,” Chris Furlow, president of US risk company Ridge Global, told the World Credit Union Conference in Belfast.

“They may be coming after a specific individual because they have inside information about what is going on within your organisation.”

 British intelligence agency GCHQ admits that these type of scams have made it to the UK. It recently identified a watering hole attack against a web design company that works with a number of UK companies. It’s believed it was part of a continuing commercial espionage campaign.

In 2014 Forbes.com was breached in a watering hole attack aimed at US financial and defence companies that used the website. It is believed Twitter, Microsoft, Facebook and Apple have also been attacked using the watering hole technique.

Protect yourself and your company

To protect themselves companies need to educate their staff to be on their guard, says Furlow. A quarter of data breaches involve human error, according to a report from tech firm IBM.

“That should be striking, it is something that should concern you,” says Furlow.

“This is about employees or third parties like contractors who are in some way negligent. I think that is a tough term in the environment today, negligent, because there are some people who just don’t have the resources or they do not have the training in order to understand what they need to be doing.”

Companies should also monitor the 100 websites most visited by their employees. Those sites should be inspected for malware on a regular basis and blocked if they are hosting malicious links.

If it is a website employees need to use then businesses should contact the website and warn them they are infected.

Individuals should make sure they keep their virus and internet security up to date and switched on. Many of these systems will warn you if you are visiting a website that contains malicious links or coding.

And, as ever, don’t click on links in unsolicited emails or type your details into unsecure websites.

Afraid that you've had your details stolen? Check your credit report for unusual activity. Get free access for 30 days with Equifax and Experian with loveMONEY.

Learn more about scams:

New mobile phone scam

How criminals steal your banking details at an ATM

Beware the product testing scam

Scammers' card machine cons - how to spot them


Be the first to comment

Do you want to comment on this article? You need to be signed in for this feature

Copyright © lovemoney.com All rights reserved.