What Is a Watering Hole Attack?

A watering hole attack is a targeted attack designed to compromise users within a specific industry or group of users by infecting websites they typically visit and luring them to a malicious site. The end goal is to infect the user’s computer with malware and gain access to the organisation’s network. Watering hole attacks, also known as strategic website compromise attacks, are limited in scope as they rely on an element of luck. They do however become more effective, when combined with email prompts to lure users to websites.

The term watering hole attack got came from the animal kingdom where predators in the wild will wait by a watering hole to attack their prey. Cyber attackers that are attempting opportunistic watering hole attacks for financial gain or to build their botnet can achieve their goals by compromising popular consumer websites. But the targeted attackers that are after more than financial gains tend to focus on public websites that are popular in a particular industry, such as an industry conference, industry standards body, or a professional discussion board. Similar to animals in the wild, hackers wait for users to visit the infected website to attack them. They will look for a known vulnerability on the website, compromise the site, and infect it with their malware before they lie in wait for baited users to attack.

Attackers will even prompt users to visit the sites by sending them ‘harmless’ and highly contextual emails directing them to specific parts of the compromised website. Often, these emails do not come from the attackers themselves, but through the compromised website’s automatic email notifications and newsletters that go out on a constant basis. This makes detection of the email lures particularly problematic.

As with targeted website bating attacks, typically the user’s machine is transparently compromised via a drive-by download attack that provides no clues to the user that his or her machine has been attacked. This can make defending against watering hole attacks challenging for organisations. Without protection against these attacks, websites can be infected for months or even years before they are detected.

Watering hole attacks have been gaining momentum in recent years. And while these bating attacks are often used for financial gain as hackers steal personal data such as personal identifiable information (PII) and banking information, some attacks are for other reasons, such as political motivation. Religious communities, political party websites, and the media have all been victims of recent attacks. And the victims of these attacks were not only the sites they targeted but the users who visited their sites and were unwittingly compromised as well.

Organisations can protect themselves against watering hole attacks with advanced targeted attack protection solutions. Web gateways to defend the enterprise against opportunistic drive-by downloads that match a known signature or known bad reputation can provide some detection capability against opportunistic watering hole attacks. To defend against more sophisticated attackers, enterprises should consider more dynamic malware analysis solutions that check for malicious behaviour on the most suspicious destination websites that user’s browse to.

To protect against targeted email lures to watering hole attacks, look for an email solution that can apply similar dynamic malware analysis at the time of email delivery and at click-time by the users. Additionally, to defend the organisation effectively, the solution must provide for mechanisms to protect the user whether or not they are on the corporate network and traversing through on-premises security controls.

Proofpoint provides a range of cybersecurity services to meet every organisation’s needs to combat watering hole attacks and other threats. Our web security services protect against advanced threats that users may encounter as they browse the web, including these drive-by download attacks. The advanced web threat protection detects and prevents malware using industry-leading threat intelligence solutions and blocks known infected sites automatically.

Cloud App protection services keeps cloud-based data on platforms such as Google Workspace and Microsoft 365 secure by providing insights, assessing risks and supporting organisations with security awareness training to change user behaviour to avoid malicious attacks.

Proofpoint’s premium cybersecurity services provide the ultimate layer of defence to optimise your business’s systems and respond to threats. Our team of experts provides guidance, ongoing threat analysis, security training, email fraud defence, and more to protect against watering hole attacks, other baiting attacks, and all security threats that can harm your organisation.