What is a watering hole attack?

A watering hole attack is a cyberattack that focuses on specific groups of users by infecting websites they usually visit. The name "watering hole" comes from the way animal predators behave. They tend to lurk near watering holes, waiting patiently for a chance to attack vulnerable prey. Similarly, watering hole attackers wait on particular websites frequently visited by their targets, in hopes of infecting them with malware.

How does a watering hole attack work?

In a watering hole attack, cybercriminals identify websites commonly visited by their targets and exploit vulnerabilities within these sites to infect them. They typically target public websites frequented by professionals from specific industries, such as discussion boards, industry conferences, and industry-standard bodies. Attackers profile targets to learn their web habits. Targets are often employees of large organizations or government agencies.

The cybercriminal injects malicious Hypertext Markup Language (HTML) or JavaScript code into the targeted website. This code redirects victims to a spoofed website that hosts the attacker's malware. Common malware used in watering hole attacks includes Remote Access Trojans (RATs), which provide the attacker with remote access to the victim's computer. Once inside the victim's computer, the attacker can gain unauthorized access to sensitive information or use it as a foothold to infiltrate a connected corporate network.

Go deeper: 

• What is a spoofed website? 
• What is malware? 

Preventing watering hole attacks

Watering hole attacks can be challenging to prevent due to their targeted nature. However, organizations can implement several best practices to mitigate the risk of falling victim to these attacks:

Regular security testing

Organizations should regularly test their security solutions to provide the necessary defense level. Verifying that users always browse the internet securely ensures organizations can prevent intentional and unintentional malware downloads and block access to infected or malicious websites.

Advanced threat protection

Implementing security solutions that protect against advanced attack vectors is crucial in preventing watering hole attacks. Behavioral analysis solutions, for example, can help organizations detect zero-day exploits before attackers can target users, offering a better chance of early detection.

System and software updates

Keeping systems and software up to date is an essential best practice for avoiding watering hole attacks. Promptly installing operating system patches and software updates is crucial as attackers often exploit vulnerabilities in outdated code.

Treat all traffic as untrusted

Organizations should adopt a ‘trust but verify’ approach, considering all traffic as untrusted until verified as legitimate. This approach is especially important with third-party traffic. It should be applied to all internet traffic, regardless of its source.

Test and secure against exposure

Secure web gateways play a significant role in protecting organizations from watering hole attacks. They enforce internet access policies, filter unwanted or malicious software, and protect against external and internal threats. 

Related: How to manage persistent threats and zero day vulnerabilities 

Watering hole attack statistics

Watering hole attacks have affected various organizations and industries, highlighting the need for cybersecurity measures. Here are a few notable examples:

• Forbes: In 2015, Forbes fell victim to a watering hole attack launched by a Chinese hacking group. The attack exploited zero-day vulnerabilities in Internet Explorer and Adobe Flash Player to display malicious versions of Forbes' "Thought of the Day" feature. Any vulnerable devices visiting the Forbes website were infected with malware.
• U.S.-based Chinese news site: In August 2019, FortiGuard Labs discovered a watering hole attack targeting the community of a U.S.-based Chinese news site. The attack exploited known vulnerabilities in WinRAR and Rich Text Format (RTF) files, using various techniques, tools, and backdoor functionalities to target victims.
• Microsoft's Visual Basic Script (VBScript) Exploit: In February 2019, researchers at Trend Micro discovered an advanced watering hole attack that exploited Microsoft's VBScript programming language. The attack downloaded a "gist" snippet from GitHub, modified the code to create an exploit, and used a multistage infection scheme. The malware connected to private Slack channels to lure victims, showcasing sophisticated hacking techniques.

See also: HIPAA Compliant Email: The Definitive Guide