How does it work?
A targeted attack designed to compromise users within a specific industry or function by infecting websites they typically visit and luring them to a malicious site. Watering Hole attacks, also known as strategic website compromise attacks, are limited in scope as they rely on an element of luck. They do however become more effective, when combined with email prompts to lure users to websites.
Attackers that are attempting opportunistic attacks for financial gain or to build their botnet can achieve this by compromising popular consumer websites. But the targeted attackers that are after more than financial gains tend to focus on public websites that are popular in a particular industry, such as an industry conference, industry standards body, or a professional discussion board. They will look for a known vulnerability on the website, compromise the site, and infect it with their malware before they lie in wait for baited users.
Attackers will even prompt users to visit the sites by sending them ‘harmless’ and highly contextual emails directing them to specific parts of the compromised website. Often, these emails do not come from the attackers themselves, but through the compromised website’s automatic email notifications and newsletters that go out on a constant basis. This makes detection of the email lures particularly problematic.
As with targeted attacks, typically the user’s machine is transparently compromised via a drive-by download attack that provides no clues to the user that his or her machine has been attacked.
How can I protect against it?
Web gateways to defend the enterprise against opportunistic drive-by downloads that match a known signature or known bad reputation can provide some detection capability against opportunistic Watering Hole attacks. To defend against more sophisticated attackers, enterprises should consider more dynamic malware analysis solutions that check for malicious behavior on the most suspicious destination websites that user’s browse to.
To protect against targeted email lures to Watering Holes, look for an email solution that can apply similar dynamic malware analysis at the time of email delivery and at click-time by the users. Additionally, to defend the organization effectively, the solution must provide for mechanisms to protect the user whether or not they are on the corporate network and traversing through on-premise security controls.