WATERING HOLE ATTACK: What Is It & How Do You Prevent One?

Watering Hole Attack
Image by Freepik

A watering hole attack is a type of cyberattack where a threat actor targets a company by hacking a website that an employee frequently visits to infect the employee’s device with malware. Although watering hole vs. pharming attacks are infrequent, they pose an important risk because they are difficult to detect and can expose a whole business to a security breach.  Read further to learn more about how a watering hole attack works in cyber security, warning signs to look for, and how to prevent them.

Watering Hole Attack Cyber Security

A watering hole attack is a type of targeted cyber security attack that tries to compromise users in a certain business or group by infecting websites they visit often. Its name comes from the way predators in the animal world wait near watering holes to catch their prey by surprise.

This means, that in the digital world, hackers find famous websites that the people they want to attack often visit and take advantage of weaknesses on those websites. They want to get into the target organization’s network without permission by hacking these websites and adding malicious code. In the end, this will affect the computers of people who don’t know what’s going on.

Watering Hole Attack Cyber Security: How It Works

Watering hole attacks, which are also called “watering hole phishing,” get their name from actions that happen in the wild, like when an attacker hits its prey while it’s drinking at a watering hole. Therefore, understanding what a “watering hole attack” is in the context of hacking makes the comparison clear. Threat actors typically target targets on heavily used websites, which is where they are most likely to be. This person often uses that website and doesn’t think much about how secure it is, which makes them open to threats from many places.

Watering Hole Attack Cyber Security: Detailed Guide on How It Works

In essence, understanding how cyberattackers carry out and make money from watering hole attacks is just as important as understanding what the attacks are all about. It’s common for watering hole attacks to happen in four steps: they watch, study, and use one of many types of web-based exploits. These steps usually include:

#1. Gathering Intelligence

The threat actor learns more about their target by watching how they browse the web. Search engines, social media pages, website demographic data, social engineering, spyware, and keyloggers are all common tools for information gathering. Also, cybercriminals have a shortlist of websites they can use for a watering hole attack by the end of this step.

#2. Analysis

The hackers look at the list of websites to find holes in the domains and subdomains that they can use. The criminals might also create a malicious website clone. They sometimes do both, hacking a real website so that it directs visitors to a fake one.

#3. Preparation

Hackers put web-based bugs into the website to get their targets infected. In essence, browsers can be hacked using this kind of code that uses web technologies like ActiveX, HTML, JavaScript, pictures, and more. The threat actors may also use exploit kits, which let them infect visitors from certain IP addresses, for more targeted strikes. So, when you are looking at a company, these exploit kits are very helpful.

#4. Execution

The attackers prepare the watering hole and wait for the malware to do its thing. If everything goes well, the computers of the target will download and run the bad software from the website. Because they routinely copy code from websites to local computers and devices, web browsers are susceptible to web-borne exploits.

Watering Hole Attack Cyber Security:  Signs of a Watering Hole Attack

It can be hard to tell when a watering hole attack is happening until it’s too late and the damage has been done to other devices and workers. However, if you are aware of the signs, you can tell if a website or your gadget has been hacked. Keep an eye out for these signs:

#1. Getting more emails from niche websites

Threat actors will sometimes try to get their victims to go to a fake version of a site they know the victim often visits or a site that has already been hacked. The fact that you are getting more emails from niche websites you have visited before could mean that someone is trying to attack you with a watering hole attack.

#2. Constant Pop-Ups

Constant pop-ups of ads or messages telling you to download files or go to a website are indications that a watering hole attack is being tried. The point of these pop-ups is to get you to visit the hacked website, which will then put malware on your computer.

#3. Changes to your browser’s security settings

Changes to your browser’s security settings could be a sign that a cybercriminal is trying to use a watering hole attack against you. Cybercriminals try to change the security settings on your computer so that malware can be installed without your knowledge and stay installed without being found.

#4. New Applications Downloaded 

Your device may have been infected with malware from a watering hole attack if it has downloaded new applications that you don’t know or that you did not download yourself. This means, that even without your knowledge, these recently downloaded applications may steal your information.

#5. The files are missing.

Missing files suggest that a watering hole attack may have infected your device with malware. Threats like ransomware might be taking, changing, or encrypting your files so they can sell them back to you or on the dark web for money.

Watering Hole Attack Examples

Below are some examples of watering hole attacks in the following years:

#1. 2012 

Hackers infected the American Council on Foreign Relations (CFR) website through an Internet Explorer exploit. Interestingly, the watering hole only hit Internet Explorer browsers that were using certain languages.

#2. 2013 

A state-sponsored malware attack hit Industrial Control Systems (ICS) in the United States and Europe, targeting defense, energy, aviation, pharmaceutical, and petrochemical sectors.

#3. 2013

Hackers harvested user information by using the United States Department of Labor website as a watering hole.

#4. 2016

Researchers found a custom exploit kit targeting organizations in over 31 countries, including Poland, the United States, and Mexico. The source of the attack may have been the Polish Financial Supervision Authority’s web server.

#5. 2016

The Montreal-based International Civil Aviation Organization (ICAO) is a gateway to almost all airlines, airports, and national aviation agencies. By corrupting two of ICAO’s servers, a hacker spread malware to other websites, leaving the sensitive data of 2000 users and staff members vulnerable.

#6. 2021

Google’s Threat Analysis Group (TAG) found widespread watering hole attacks targeting visitors of media and pro-democracy websites in Hong Kong. The malware infection would install a backdoor on people using Apple devices.

Watering hole attacks are a type of advanced persistent threat (APT) that can happen to any kind of business in the world. Hackers are unfortunately using social engineering techniques to target stores, real estate firms, and other businesses with “watering hole” hacking.

How to Prevent Watering Hole Attack

Unfortunately, there is no single way to stop an attack from a watering hole. But don’t worry; there’s still something you can do about it. Here are some things you can do to protect yourself from this type of attack: 

#1. End users should be educated

It is very important that all end users know about watering hole attacks and that hackers infect reputable websites to carry them out. Users should be taught to spot the signs of spam emails and to be cautious when clicking on links, even if they appear to come from a reliable source. Also, encourage users to talk to their coworkers about any possible security problems that come up. 

#2. Keep all Software Up To Date.

Traditional security tools, like firewalls and antivirus software, use a library of signatures to find malware and other threats. Therefore, to protect against the newest threats, these files are regularly updated and brought up to date. Don’t forget to make these changes right away.

Aside from that, any other software that links to the Internet needs to be kept up-to-date. Additionally, to reduce the likelihood of a malware infection, browser makers frequently release security patches that patch up these flaws. 

#3. Use a multi-layered approach to cyber security

Traditional software like routers and antivirus protects against many known threats. However, a zero-day threat can sometimes be used in a watering hole attack. Unfortunately, these threats can get past security measures. Hence, a second layer of security is needed to protect against an unknown threat. The remote browser isolation (RBI) feature can stop any code, harmful or not, from running on the end user’s device, stopping a watering hole attack from working.

#4. Use web application isolation.

We recommend using web application isolation to keep your website safe from watering hole attacks. Website application isolation uses RBI to hide attack areas that are visible on the web, like code or APIs that are open to the public. A virtual container is used to run all of the active code of the application. This means only source code related to the web isolation solution would be visible to hackers who attempt to study and exploit the source code of a website or application. 

#5. A Security Audit from Professionals

 A trusted cybersecurity expert checking your computer network is the best way to keep it safe. They can point out weaknesses you may have missed and suggest ways to fix them. Also, checking your security regularly is a good idea that can help stop threats in the future. 

Watering Hole Attack Vs Pharming

Avoid falling for watering hole attacks vs. pharming scams by getting your business a good protection system and solutions. Threats get worse as both strategies get trickier. You can only stop people from abusing technology using even more advanced and high-tech methods.

Watering Hole Attack Vs Pharming: In Details

Let’s look at a few similarities and differences between a watering hole attack vs pharming in different dimensions:

#1. Definition

A “watering hole” attack is a type of cyberattack in which malware is placed on websites that the criminals know their target group or organization will visit often. This illicit code sends people to malicious websites that are meant to infect users’ computers. This lets the private information stored on those computers be stolen or changed. Pharming, on the other hand,  is a kind of cyberattack in which users are directed to fake websites that are made to look like the real thing. A hacker gets into a computer system and puts code there that changes the way traffic goes. 

#2. Techniques

Pharming uses techniques like DNS hijacking, DNS cache poisoning, and DNS spoofing. While a watering hole attack looks for security vulnerabilities within the website to inject malicious code such as Javascript or Hypertext Markup Language (HTML),

#3. Examples

In 2007, a complex pharming attack went after at least 50 financial institutions across the world. Users were directed to false websites and instructed to enter sensitive information. In 2013:

hackers harvested user information by using the United States Department of Labor website as a watering hole.

#4. Preventive Measures

For pharming vs. watering hole attacks, avoid clicking on links that start with ‘HTTP’ — stick to the ones with ‘HTTPS‘ instead. The letter “s” indicates that a reliable security certificate is in place to protect the specified website. Also, keep all software up-to-date and use a library of signatures to find malware and other threats. To protect against the newest threats, these files are regularly updated and brought up to date.

How common are watering hole attacks?

Watering hole attacks are relatively rare, but they continue to have a high success rate.

How do waterholing attacks most often originate?

The attacker identifies the group of end-users they wish to target.

Why do they call it a watering hole?

A watering hole was originally “a source of water from which animals regularly drink,” but sometime in the 1960s, it came to primarily mean “place (for humans) to socialize over drinks.

What is the difference between spear phishing and watering hole?

Attackers used spear phishing emails and watering hole attacks to trick victims into installing fake Flash Player malware downloads. Watering hole attacks used Adobe Reader and Java arbitrary code-execution vulnerabilities.

References

  1. CYBERSECURITY TRAINING: Everything You Need To Know
  2. CYBER SECURITY INSURANCE: What is it & What Does it Cover?
  3. How to Become a Cybersecurity Consultant in 2024
  4. Why Is Cybersecurity Important? All You Need To Know
  5. Provisioning In IT Software: What Does It Mean?
0 Shares:
Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like