Watering Hole Attacks

lion_at_watering_hole_Wallpaper__yvt2The biggest innovation in targeted attacks by malicious actors in the past year is in what is called Watering Hole Attacks, according to the Symantec Internet Security Threat Report 2013.

A Watering Hole Attack is indirect in that instead of attacking the target directly, malicious code is placed on sites that the target is known to visit.  According to Threatpost, watering hole attacks have been “used primarily by state-sponsored attackers to spy on rival governments, dissident citizen groups and manufacturing organizations.” Two popular watering hole attacks in the past year have been on the Department of Labor and on the Council of Foreign Relations website.  Watering hole attacks have also been used on Facebook, Apple, and Twitter users when malicious code was inserted on a popular iPhone software development site.

How it works:

Watering hole attacks have multiple phases in their implementation:

  1. Victims/targets are researched and profiled to identify what sites that group (or individual) visit or are likely to visit.
  2. Those identified websites are tested for vulnerabilities
  3. Malicious code is injected on these sites
  4. At this point, the “watering hole” site is infected and ready to deliver malicious code to the targeted visitor when they appear.
  5. Upon visiting an infected site, the targeted visitor is redirected to another site where a separate bit of malicious code is downloaded onto the user’s computer.  At this point, the attacker has control of the targeted user’s computer.

One of the reasons that watering hole attacks are effective is that, in many cases, the watering hole website — that has been infected and is waiting to download malicious code — cannot be “blacklisted” because it is a legitimate site and needs to be operational.  An example is the Department of Labor site.  The site needs to remain available.

 What to do:

The primary activity that SMB’s can do to reduce the risk of watering hole attacks is to keep software current, aka “patched.”. For example, on user computers running Windows, allow Windows to auto update its operating system.  Larger companies might have the resources to employ network analysis and detection as well as data analytics to mitigate the watering hole attack. However, as we know, the expertise, staffing, and time for this sort of activity is typically not available to SMB’s.


What work-related (or non-work-related) websites do you or your employees visit?

Leave a Reply

Your email address will not be published. Required fields are marked *