In nature, predators hide next to bodies of water (watering holes), where prey gathers and wait for the opportunity to attack. Unfortunately, cybercriminals have found a way to emulate this predatory behaviour. They prey on unsuspecting victims browsing regularly visited websites. This is called a watering hole attack.
The concept of watering hole attacks is similar to phishing. What makes phishing different from watering hole attacks is that phishing attempts to persuade unsuspecting victims to click on malicious links or attachments. Phishing attempts could also have victims perform other actions with which they would divulge their private information.
Watering hole attacks, however, don’t need to lure victims in that way. In this type of attack, attackers have already positioned themselves in a particular space, using malware to infect a third-party service or a website that the victim already frequents. This tactic is often executed with the idea of infecting devices to gain access to sensitive computer systems and data theft, whether financial, personal, strategic or intellectual.
While Watering hole attacks are targeted, they have a broader scope than phishing attacks. They will catch more victims than those targeted. As a result, attackers will often combine watering hole attacks with spear-phishing campaigns. This way, they can send highly targeted and customized emails to the victim, prompting them to visit a website that seems harmless and familiar but is compromised.
Watering hole attacks usually target businesses and organizations through their employees, vendors and suppliers. Still, public websites that are popular in the victim’s industry can be effective as well. These include discussion boards, smaller news outlets, industry conferences, and more.
How does water holing work?
Attackers start with a victim(s). They then:
- Find websites that the victim(s) frequents.
- Compromise the websites.
- Wait for the victim(s) to enter.
- Inject malware to penetrate the network, and move laterally to other systems to achieve their objective.
Simple concept, right? Well, that is the simplified version of it. But how do cybercriminals know which websites are the right ones?
They can’t just go after the large, popular websites that are likely secure and hard to compromise. They instead find their way to the less secure and smaller websites but still relevant to their targets, such as blogs and smaller company websites. In doing this search for websites the victim frequents, attackers will leverage legitimate resources. These resources include regular search engines, social networks, and IoT search engines such as Shodan and more obscure ways of gaining intelligence.
Once the appropriate website — the watering hole — has been established, attackers will look for exploitable weaknesses and vulnerabilities on the website, seeking a way to inject malicious code into various parts, usually by embedding it in banners and ads. When users visit the site and click on an element with the malicious code, it will redirect them to another website that automatically downloads a script that scans for new and known vulnerabilities. If such vulnerabilities exist, these are also used to infect the target with malware. This way, attackers gain access to the target network and perform lateral movements to find sensitive data such as customer information, financial data and intellectual property and exfiltrate or compromise that data.
Watering hole attack example
While watering hole attacks aren’t among the most common types of cybercrime, there have been a few notable real-world examples.
One such example of this attack occurred in 2013. Attackers managed to compromise systems at Facebook, Twitter, Microsoft, and Apple as part of a wide-ranging watering hole operation using websites that attracted employees from these organizations. Among other watering holes, the attackers used two mobile application development websites. One of which was iPhoneDevSDK.com. Attackers compromised these websites to served drive-by downloads of exploits for a zero-day vulnerability in the Java browser plug-in running on both Windows and macOS systems. In addition to the four significant organizations mentioned, these watering hole attacks also affected auto manufacturers, government agencies and various other businesses.
How to prevent watering hole attacks
The prevention of watering hole attacks, just like any highly targeted attacks, can be challenging. However, a combination of security awareness and proper cybersecurity culture in the organization and keeping security controls in place can help set effective organizational defense.
Here are a few best practices for preventing watering hole attacks:
- Watering hole attacks are also known to exploit known vulnerabilities. So the first step in any network defense is to keep all your systems, software, and Operation Systems updated to the latest version with all patches offered by vendors applied.
- The Zero Trust methodology can and should be applied to mitigate against watering hole attacks. Verify all third-party traffic, whether it comes from a trusted partner or a popular website. A security solution that inspects all network traffic will allow security researchers to determine if the traffic is coming from a compromised website being used for a watering hole attack.
- Web gateways are a great way to defend organizations against drive-by downloads that match a known signature or bad reputation and can provide detection for opportunistic watering hole attacks.
- As mentioned, victims are often lured to websites compromised in a watering hole attack via spear-phishing emails. Having an email security solution providing advanced malware analysis at the time of email delivery can help protect users.
- Educate your employees on the nature of these attacks and the tell-tale signs of compromised websites used in watering hole attacks and incorporate prevention and awareness practices. This strategy will ensure your employees don’t fall victim, especially when they’re innocently reading the latest discussions on industry boards and communication channels.
While not common, watering hole attacks are dangerous. Though these attacks have the perfect components for making them difficult to detect, an effective combination of security awareness, education, security controls, solutions, and practices can help prevent them.