Skip to content

What is a Watering Hole attack are and how to prevent them

April 26, 2021
As companies strengthen their cybersecurity management, cybercriminals look for more effective ways to carry out attacks. That’s the case of the Watering Hole attack, a method that gradually is being adopted by cyber-criminals, APT groups, and nation-states.
In this attack strategy, attackers seek to compromise a specific group of users by creating a fake site to attract or simply infecting existing sites frequently visited by the targets.
The primary purpose is to steal combinations of usernames and passwords - but for that, the victim must continue to use the same credentials. Another common goal is to infect the victim’s computer to access the network within their workplace.
Some experts believe that the Watering Hole is an alternative to Spear Phishing, although each has its peculiarities. Watering Hole attacks are considered targeted attacks, but they can reach wider networks and deceive more victims than initially expected by the attacker.


What is a Watering Hole attack?

Phishing is like giving random people poisoned sweets and expecting them to eat. The Watering Hole attack, as the name says, is like, for example, poisoning a village’s water supply and just waiting for people to drink the infected water.
This name was inspired by the wild predators that prowl near water wells in the wild, waiting for the opportunity to attack a potential prey. In a Watering Hole attack, the “predator” (attacker) hides on specific sites that are popular for his “prey” (target) and looks for opportunities to infect them with malware to make these targets vulnerable.
In other words, instead of using a Spear Phishing email campaign to attract victims, hackers infect vulnerable sites that share a common interest with their targets and then direct them to sites or applications that contain malware.

What’s the purpose of Watering Hole attacks?

These attacks seek to spy on industrial or governmental sources most of the time to steal critical data from an opposing nation, industry, or political group.
The intention is to create or infect a website of interest to a group and thus obtain its data. Using the victim’s credentials or compromised machine, attackers try to access industrial and governmental intellectual property and sensitive data.

How does a Watering Hole attack work?

  1. First, attackers profile their targets by sector, position, etc. This helps them determine the type of sites and applications frequently visited and used by employees or members of a target entity.
  2. The attacker creates a new website or searches for vulnerabilities to implement malicious code, which redirects targets to a different website on which they host the malware.
  3. The exploit drops the malware on the target’s system.
  4. The attacker uses the dropped malware to initiate its malicious activities. As most people unfortunately still reuse passwords, the attacker often collects usernames and passwords to attempt credential filling attacks against targeted applications, companies, and websites.
  5. Once the victim’s machine is compromised, the attackers perform lateral movements in the victim’s network and, finally, exfiltrate the data.

Are Watering Hole attacks a threat to my company?

Although Watering Hole attacks are not yet as common as others, they pose a considerable threat as they are challenging to detect. These supply chain attacks typically target highly secure organizations, using their employees, business partners, connected suppliers, and even unsecured wireless networks as a means of access to conventions.
It is also essential to understand that these sophisticated attacks exploit victims’ computers via websites and include mobile apps for Android and iOS devices.
The success rate of these attacks is relatively high since attackers create new sites or compromise legitimate sites and applications that are not on the corporate Firewall negative list. Often, they use zero-day exploits, which do not have antivirus signatures, making the action even more indistinguishable.
Many people reuse their passwords on different platforms also influences the high success rate of Watering Hole attacks.


Who has suffered Watering Hole attacks?

We can see Watering Hole attacks being used to attack victims globally: from the Chinese government against political dissidents, foreign APTs against US nuclear scientists, industrial espionage against US and UK defense contractors, to attempts to steal searches from COVID-19.
One of the most sophisticated Watering Hole attacks was recently discovered by the security team at Google Project Zero. The survey found that a sophisticated Watering Hole attracted users from a given group to websites via an Android application and used four zero-day vulnerabilities in action.
Another attack, tracked by an antivirus company, found a much less sophisticated but still successful Watering Hole that incorporated a website, malicious Java, and a fake Adobe Flash update pop-up to trick a particular group of people.

How to avoid Watering Hole attacks?

  • Continuously test your current security solutions and controls to see if they provide adequate defense against browser-based applications and attacks.
  • Ensure that your security controls prevent the redirection of malware and rootkits from being successfully deployed.
  • Ensure that the browser control and the terminal software are correctly adjusted and that the web content and security proxy gateways are well configured.
  • Organizations must seek additional layers of advanced threat protection, such as behavioral analysis, which are much more likely to detect zero-day threats.
  • Update systems with the latest software and operating system patches offered by vendors.
  • All third-party traffic must be treated as untrusted until otherwise verified.
  • Educate your end-users about what watering hole attacks are and create easy-to-understand corporate materials for distribution.


This type of attack will continue as attackers leverage legitimate resources as a catalyst for attacks. That includes influencing search engine results, posting on popular social networks, and hosting malware on trusted file-sharing sites. It would be best to worry about Watering holes before your company members drink some of the poison.

Source: HiveCore Enterprise Solutions LLC

Scroll To Top