Watering Hole Attacks: What they are and how to avoid them

Blog / Watering Hole Attacks: What they are and how to avoid them

I’ve talked about many different kinds of attacks over the course of this newsletter. Ransomware gets a lot of attention (since it’s such a common attack), but I’ve also talked about phishing, social engineering, cross-site scripting and other types of attacks. It’s important to understand the vocabulary of computer security if you don’t want to get bamboozled by someone.

Today, we’re going to talk about one that hasn’t gotten as much attention, but is growing in frequency, called a watering hole attack. How exactly do these attacks work? Well, rather unsurprisingly, exactly the same way that a watering hole in real life works. It sits there and does nothing, until someone shows up to kick start everything.

Let’s go back and think about some of the more traditional attacks like phishing or denial of service attacks for a minute. All these attacks come at you from somewhere. You can be minding your own business and then out of nowhere a phising email shows up in your inbox.

The weakness here is that the attack has to come from somewhere which can expose the attackers’ IT infrastructure. One way hackers work around this is to infect other peoples machines. This saves investing in hardware but it means attackers need to constantly improve their infection methods to be able to infect new machines as they get discovered and cleaned.

So how do you mount a cyber attack without actually attacking a victim? You make them to come to you. How? That’s where the watering hole comes in. The term “watering hole” is slang for places people like to gather and chat, such as the office water cooler or the bar after work. In the context of the this particular attack, the watering hole is a website/link/anything that attracts victims. The “watering hole” itself is tainted with some kind of cyber poison, be it a cross-site scripting attack or credential stealer. There’s a plethora of possibilities. The big question is how do you attract victims?

That boils down to social engineering. Make your watering hole look like something important at the moment (big events in the news are often taken advantage of this way). As an example, there have been many COVID-19 based attacks in the past year. Everyone is looking for information and options, so the attackers might create a flashy website or service and let the search engines bring your victims to you. Part of what makes watering holes dangerous is that their creators likely monitor Google’s top search requests in order to craft a realistic, well-ranking site that will attract the most people. Watering hole attack architects can be both technically savvy and socially cunning.

Detecting a watering hole is kind of like detecting spam. Sometimes it’s going to be incredibly obvious as there will be problems with the design and layout of the site, errors in grammar or spelling, and other red flags. Other times the watering hole is going to be well done, carefully crafted, and very difficult to figure out. The best thing to do is stay up-to-date on current affairs and be aware of big events that attackers could target. Then have a healthy spoonful of skepticism and patience about any new service/site popping up suddenly in relation to that story.

There’s a perfect line from King Lear that applies when contemplating watering hole attacks. It goes “No, I will be the pattern of all patience; I will say nothing.”

If you have any questions about watering hole attacks, please reach out to your TRINUS Account Manager for some stress-free IT.


By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.

/Partners /Systems /Certifications

TRINUS is proud to partner with industry leaders for both hardware and software who reflect our values of reliability, professionalism and client-focused service.