Watering hole attack

A watering hole attack is when cyber criminals infect a website they know their intended victims will visit.


Also for WindowsiOSAndroidChromebook and For Business

What is a watering hole attack?

Whether you’re talking about cybersecurity or the jungle, a watering hole attack is when threat actors strike their targets where they congregate. In the wild, a watering hole is a natural depression of water where thirsty animals come to drink. With their guard down, they’re easier prey for hunters such as lions. It’s a similar concept in cybersecurity, except, instead of big cats and gazelles, it is hackers stalking computer users on the web.  

How do watering hole attacks work?

A watering hole attack is when cyber criminals attack individuals, cohorts, or organizations on a website they frequent, using skills like hacking and social engineering. Alternatively, the attacker can lure victim(s) to a website they create. The attacks require meticulous execution in all four of the following phases:

1. Intelligence gathering

The threat actor gathers intelligence by tracking their target’s web browsing habits. Common tools for intelligence gathering include search engines, social media pages, website demographic data, social engineering, spyware, and keyloggers. Sometimes, common knowledge is a big help. At the end of this phase, the cybercriminals have a website shortlist of targets to use for a watering hole cyberattack.

2. Analysis

The cybercriminals analyze the list of websites for domain and subdomain weaknesses they can exploit. Alternatively, the attackers may create a malicious website clone. Sometimes they do both — compromise a legitimate website so that it leads targets to a bogus one.

3. Preparation

The hackers inject the website with web-borne exploits to infect their targets. Such code may exploit web technologies like ActiveX, HTML, JavaScript, images, and more to compromise browsers. For more targeted attacks, the threat actors may also use exploit kits that allow them to infect visitors with specific IP addresses. These exploit kits are particularly useful when focusing on an organization.

4. Execution

With the watering hole ready, the attackers wait for the malware to do its work. If all goes well, the target’s browsers download and run the malicious software from the website. Web browsers can be vulnerable to web-borne exploits because they usually indiscriminately download code from websites to local computers and devices.

What techniques do hackers use in watering hole attacks?

  • Cross-site scripting (XSS): With this injection attack, a hacker can insert malicious scripts into a site’s content to redirect users to malicious websites.
  • SQL Injection: Hackers can use SQL injection attacks to steal data.
  • DNS cache poisoning: Also known as DNS spoofing, hackers use this manipulation technique to send targets to malicious pages.
  • Drive-by downloads: Targets at a watering hole may download malicious content without their knowledge, consent, or action in a drive-by download.
  • Malvertising: Known as malvertising, hackers inject malicious code in advertisements at a watering hole to spread malware to their prey.
  • Zero-day exploitation: Threat actors can exploit zero-day vulnerabilies in a website or browser that watering hole attackers can use.

Watering hole attack examples

2012: Hackers infected the American Council on Foreign Relations (CFR) website through an Internet Explorer exploit. Interestingly, the watering hole only hit Internet Explorer browsers that were using certain languages.

2013: A state-sponsored malware attack hit Industrial Control Systems (ICS) in the United States and Europe, targeting defense, energy, aviation, pharmaceutical, and petrochemical sectors.

2013: Hackers harvested user information by using the United States Department of Labor website as a watering hole.

2016: Researchers found a custom exploit kit targeting organizations in over 31 countries, including Poland, the United States, and Mexico. The source of the attack may have been the Polish Financial Supervision Authority’s web server.

2016: The Montreal-based International Civil Aviation Organization (ICAO) is a gateway to almost all airlines, airports, and national aviation agencies. By corrupting two of ICAO’s servers, a hacker spread malware to other websites, leaving the sensitive data of 2000 users and staff members vulnerable.

2017: The NotPetya malware infiltrated networks across Ukraine, infecting website visitors and deleting their hard drive data.

2018: Researchers found a watering hole campaign called OceanLotus. This attack hit Cambodian government websites and Vietnamese media sites.

2019: Cybercriminals used a malicious Adobe Flash pop-up to trigger a drive-by download attack on almost a dozen websites. Called Holy Water, this attack hit religious, charity, and volunteer websites.

2020: American information technology company SolarWinds was the target of a watering hole attack that took months to uncover. State-sponsored agents used the watering hole attack to spy on cybersecurity companies, the Treasury Department, Homeland Security, etc.

2021: Google’s Threat Analysis Group (TAG) found widespread watering hole attacks targeting visitors of media and pro-democracy websites in Hong Kong. The malware infection would install a backdoor on people using Apple devices.

Now: Watering hole attacks are an advanced persistent threat (APT) against all types of businesses worldwide. Unfortunately, hackers are targeting retail businesses, real estate companies, and other establishments with watering hole phishing driven by social engineering strategizes.

Watering hole attacks vs supply chain attacks

Although watering hole attacks and supply chain attacks can be similar, they’re not always the same. A supply chain attack delivers malware through the weakest element in an organization’s network, like a supplier, vendor, or partner. For example, five outside companies may unwittingly have functioned as patient zero in the Stuxnet attack on Iran’s air-gapped computers. A supply chain attack may also use a compromised website as a watering hole, but this isn’t necessary.

How to protect against watering hole attacks

For consumers, good cybersecurity practices like being careful where you browse and click on the web, using a good antivirus program, and using browser protection like Malwarebytes Browser Guard are collectively a good way to avoid watering hole attacks. Browser Guard enables you to browser more safely by blocking web pages that contain malware.

For businesses, best practices to protect against watering hole attacks include:

  • Employ advanced malware analysis software that uses machine learning to recognize malicious behavior on websites and emails.
  • Test your security solution regularly and monitor your Internet traffic for suspicious activity.
  • Train end-users on watering hole attack mitigation strategies.
  • Use the latest operating system and browser security patches to reduce the risk of exploits.
  • Try cloud browsers instead of local browsers for better security.
  • Audit permissions that are given to websites.
  • Use Endpoint Detection and Response tools for Windows and Mac in order to guard endpoints in your organization from emerging malware threats.
  • Use relevant cybersecurity resources to learn more about the threat vectors hackers use for watering hole attacks.

News on watering hole attacks