What are watering hole attacks and how to mitigate them have been some of the most frequently asked questions people are looking to find answers to today. In this article, we will cover the definition of watering hole attacks, provide some real examples, and conclude with measures that can be taken to avoid falling victim to a watering hole attack.

1. What is a Watering Hole Attack?

A Watering Hole attack is a social engineering technique where cyber criminals discover and observe the favored websites of a particular organisation and/or company. They then attempt to infect these sites with malicious code and then an unsuspecting user will fall victim through one of these infected links such as downloads etc.. A cyber criminal may also decide to attack specific IP addresses to uncover certain information they are looking for which in turn makes attacks harder to detect and take preemptive action against.

For example, in our online daily lives both working and personal, we make a habit of using some websites regularly which are described as watering holes in the cyber security lexicon. The name comes from the analogy of how animals gathered at their favorite, trusted places to drink and quench their thirst without thinking twice about taking extra precautions. Their predators realise this too and lay in wait ready to pounce and attack when defenses are down. In a digital landscape, watering holes are a popular method for cyber criminals wanting to gain access to networks with a view to unleashing their own potentially devastating attacks.

For example, if you work in the banking or fintech sector, you will probably use on a daily basis websites such as The Banker, the BBA, European Central Bank or the Federal Reserve. Cyber criminals know this as well and have identified these very same websites and understand how to exploit the trust we have placed in them. Then like the predators waiting for the animals at the watering hole, they lay in wait at their target organisation/company for an unsuspecting employee. This theme of cyber criminals exploiting trust is one we also covered in our last blog post about Social Engineering.

2. Watering Hole Attacks’ Techniques

Most of us unconsciously provide tracking information when we are searching on the internet be it for personal or business purposes. This tracking information allows the cyber hackers to form a picture of the web behavior of the intended targeted victims as well as further important information about security protocols, policies, access and cloud services of their companies and organisations.

Once the cyber criminals establish an individual’s favorite, trusted websites and sources of information, they investigate their vulnerabilities and how they can best be exploited for their devious ends. They then start inserting malicious Javascript or HTML codes into your most frequented and trusted websites or recreate uncannily similar illegitimate ones after the cyber security weaknesses have been identified. The targeted users are then redirected to these sham, compromised websites where the malware or malvertisements are waiting to hook them with subsequent phishing and ransomware attacks. Consequences can be highly damaging through devastating data breaches costing millions as well as lots of negative PR and poor brand recognition for the company or organisation involved.

3. Real Life Examples of Watering Hole Attacks

3.1. The VOHO Affair

In this case, cyber criminals concentrated on legitimate websites in particular geographic regions which they believed would be frequented by organisations they wanted to attack and take advantage of. Users from the targeted organisation visited the fake watering hole website and through a malicious Javascript link were then redirected to an exploit site. This in turn checked the Windows OS and Internet Explorer of the victim’s computer before an “gh0st RAT” (a Remote Access Trojan) was installed to monitor areas of interest within that organisation collecting intelligence. The RAT malware can also have the potential to covertly infect and operate webcams and microphones.

It was discovered that in this particular campaign, websites related to finance and technology in the areas of Massachusetts and Washington D.C. were affected. It was reported that over 32,000 users visited the ‘watering hole’ site affecting 4,000 organisations across state, federal, educational institutions, defense and tech sectors.

3.2. Forbes

In 2015, attackers based in China used the watering hole technique to compromise the prestigious business website Forbes.com. Security Week reported that attackers took advantage of existing zero-day vulnerabilities in Microsoft’s Internet Explorer and Adobe’s Flash to create malicious versions of Forbes’ “Thought of the Day” feature. The Flash Widget was loaded every time someone visited a page of Forbes.com and then anyone with a vulnerable device was affected just by simply visiting while the campaign was running. Defense and financial service industries were particularly targeted by this watering hole attack.

3.3. Banks a favorite target of watering hole attacks

At the start of 2017, banks and financial institutions worldwide from Poland to Uruguay and Mexico were victims of a series of watering hole attacks that had become poisoned by cyber criminals wanting to lure innocent, trusting victims. Websites were found to be compromised with a code that would launch a devastating avalanche of malicious Javascript files from other breached domains, which hosted exploit tools that utilised Silverlight and Flash to distribute malware.

In the case of the Polish Financial Supervision Authority, a key victim of this watering hole attack, researchers found that its site had been compromised in October 2016, four months before the discovery of the breach. Fortunately, not all visits to the site were affected.

Users were targeted on the basis of a particular IP subnet and they were delivered the exploit kit and payload. The geographical locations of the IP addresses affected were primarily found to be banks from the US, Mexico, UK and Poland.

4. How to Defend against Watering Hole Attacks

To counter watering hole attacks, companies and organisations can take a number of preventive measures to adequately protect themselves from future malicious campaigns and their attacks.

Best practices involve a mix of the following:

  • Regularly inspect the most visited websites by your employees for malware
  • Prevent visits to all the compromised sites that you have discovered
  • Set up your browsers and tools to let users know of bad sites with the use of website reputation
  • Check all traffic from all third party and external sites and verify them before allowing your employees access to these sites

To help deliver verification and strengthen your cyber security posture, it is recommended that you have a multi-faceted approach which includes threat detection. Solutions such as Keepnet’s Threat Intelligence and Threat Sharing will allow you to protect your company or organisation.

4.1. Threat Intelligence and Threat Sharing

The Threat Intelligence module allows you to scan the web, looking for signs of suspicious activity which may cause potentially devastating breaches of your data security causing millions of dollars in clean-up operations. With the proactiveness of this module, you will be able to react quicker and shorten the period between potential data breaches and your defensive response so leading to a reduction in opportunities for fraudulent activity.

Keepnet™’s Threat Sharing is a highly important component of the cyber security arsenal. Instead of waiting to be a victim of a phishing attack, take preemptive measures to improve your cyber security defense. With such a platform, you can introduce an early warning system to provide inbox level incident responding, investigation and response. This allows you to react with maximum agility and so reduce response time as you no longer have to directly experience a malicious attack.

As soon as an incident occurs, the user reports this to their communities with whom this intelligence is then shared and triggers investigations through the Threat Sharing Community platform.

Use of such a threat sharing system will allow threat intelligence to be strengthened and expanded through a collective leveraging of knowledge in a network of communities built upon trust, reputations, shared goals and a willingness to protect their companies and the industries they work in.

4.2. Cyber Security Awareness Training / Information Security Awareness Training

Whatever systems you put in place against watering hole attacks or spear phishing attacks, they mean nothing if you do not have a cyber aware workforce well-trained in Information Security who are able to recognise threats and lurking dangers in the digital landscape.

With tools such as Keepnet’s Awareness Educator, you are able to improve your cyber security posture through enhanced education and cutting-edge Information Security training. This is integrated with their Phishing Simulator module to help engage your colleagues with suitable courses and phishing simulations to grow awareness of sophisticated phishing and other malicious cyber threats, which allows you to reduce future risk.

KEEPNET NINJIO is a cybersecurity awareness solution that uses engaging, 3 to 4 minute Hollywood style micro-learning videos to train employees and organizations to become defenders against cyber threats. KEEPNET NINJIO educate organizations, employees, and families against cyberattacks, making them the first line of defense against today’s advanced attacks.Try for free.

Keepnet is an anti phishing solution and cybersecurity awareness training platform