Table of Contents
    Home / Definitions / Watering Hole Attack
    Definitions 4 min read

    A watering hole attack, or strategic website compromise attack, is a hacking technique used to compromise a site that is frequently visited by a particular group of users. The attackers identify the vulnerabilities of that specific website and inject malicious codes into it. This gives attackers access to users’ personal computers and, thereby, their organization. In most cases, a watering hole attack aims for financial benefits, data breaches, and the reputation of the organization.

    Who may be impacted by a watering hole attack?

    Icon represents a watering hole attack.

    In the case of watering hole attacks, the attackers target legitimate websites (e.g., Forbes) that are frequented by its employees or other related persons. Potential industries targeted by attackers can include but are not limited to:

    • Finance (e.g., commercial banks, insurance companies, brokerage firms, credit unions)
    • Government (e.g., defense industries, educational institutions)
    • NGOs (e.g., religious and charity organizations)
    • Business and technology (e.g., e-commerce, telecom, data platforms)

    Some prominent real-life examples of watering hole attack

    Although watering hole attacks are limited, their impact can be significant:

    US Department of Labor watering hole attack

    The website of the U.S. Department of Labor (DoL) was hacked in mid-2013 in a watering hole attack. The attackers injected a malicious JavaScript code into the website’s Site Exposure Matrix (SEM) database related to nuclear energy. This redirected visitors to another website hosted with Poison Ivy, a remote access trojan mainly used to attack government organizations, which helped attackers gather information about their targeted systems.

    Watering hole attack of Forbes

    A Chinese group of attackers used a watering hole attack in 2015 to compromise by leveraging zero-day vulnerabilities in Forbes’ “Thought of the day” widget. Although there are millions of visitors to Forbes, only some visitors from the defense and financial industries were infected with the malware.

    Watering hole attack of Polish banks

    A group of attackers, known as the Lazarus group, attacked several Polish banks in a watering hole attack. The attackers used the website of the Polish Financial Supervision Authority (KNF) to target the financial institutions. The authorities shut down the entire network of KNF to avoid the spread of malware and to secure the evidence of the attack.

    How does a watering hole attack occur?

    1. The attackers follow the websites that are frequented by a group of targeted users and identify the vulnerabilities associated with that website. 
    2. Then, the attackers inject malicious codes in JavaScript or HTML into any of the components of a web page like ads, banners, etc. 
    3. The malicious code injected into the website redirects the targeted users to another website in which the malware is present. 
    4. The malware script is automatically downloaded into the targeted victims’ systems when they visit the infected website.
    5. The malware gathers all the information of the victims and sends it to the network server of the attackers.

    How does a business guard against the impact of watering hole attacks?

    In addition to enterprise-class security systems, there are immediate steps individual employees and IT personnel can take to protect against watering hole attacks.

    Update software regularly

    Attackers primarily look for system or software vulnerabilities. Therefore, the best practice to avoid watering hole attacks is to keep systems and software up-to-date and ensure all security patches are installed as soon as they get published.

    Change the IP address regularly

    Changing the IP address regularly reduces the chances to get exposed to watering hole attacks. Most attackers target the victims based on their IP address. Therefore, change the IP address frequently to mask the employees of organizations that make attackers difficult to track.

    Do regular network security checks

    Conducting regular network security checks and user access, detailed traffic analysis, and so on helps organizations identify malicious activities. It also helps organizations to prevent their employees from accessing malware-infected websites and automatic downloads of malware toolkits.

    Use VPNs and firewalls

    Use appropriate VPNs to mask the identity of users and hide their online activities from outsiders. The use of proper firewalls and other software products also helps organizations to protect against watering hole attacks.

    The right VPN is a critical piece of protecting your tech infrastructure and your business. ServerWatch goes into detail on top VPN services you should consider.