How to Stay Safe from a Watering Hole Attack

You must be thinking a watering hole is a hole from which animals drink water, or a pub, bar, or any kind of social gathering place. Well, that’s right, but there is another similar term in the cybersecurity world – Watering Hole Attack.

Watering hole attack image - zebras drinking and croc watching them
Image created by Market Business News.

About the attack

In order to carry out a watering hole attack, the hackers load malware on a whitelisted website and when a user clicks on the fraud URL, some malware is secretly loaded into the user’s device. The websites chosen to carry out this scam are usually less secure but see huge traffic. For example, it can be the website of a particular company whose employees need to visit it daily.

The watering hole attacks gained primary attention only after ‘the VOHO affair’ in July 2012. The media posted a blog with the title ‘Lions at the Watering Hole: The VOHO affair’. This title produced the watering hole metaphor which compares the attacker to a lion. The way a lion lies silently in the water to prey in a watering hole, the attacker also sets a trap.

Target Group

Now the question arises how do these attackers find out which are the websites frequented by a particular user group? Users themselves unknowingly provide them this information by simply surfing the internet. Through the automated tracking services used by marketing and ads, our traffic patterns can be accessed.

The vulnerable websites with low security such as the websites of smaller companies or blogs are mostly the target. Then, they plant a malicious code and wait for the users to become their victims. The success rates of this type of attack are usually very high as the attackers have already surveyed that the particular website will receive traffic.

Often these attacks are also carried out by nation-states who aim at breaking into an unyielding network and steal some important or confidential information.

The actual attack

After visiting the website, the user is left absolutely defenseless amongst the attacker’s trap. The user is not even required to click anywhere in order to download the files which may contain malware. A small code is downloaded automatically which runs in the background.

It scans for vulnerabilities and if found, a larger piece of code is delivered which starts the main attack. Once the system is in the attacker’s hands, he can now scan the device for sensitive information such as the user’s IP, financial data and other personal information.

Once they extract whatever can be gained, they may carry out codes to damage the device further and make the attack even more potentially threatening.

This kind of attack is capable of affecting a large number of people at a single go. The VOHO affair was able to trap more than 32,000 individuals from more than 4,000 organizations.

Previous instances

Though this attack is not very popular, there have been some very prominent incidents. In 2016, the president of Myanmar’s website was infected in this manner by exploiting the vulnerability of JavaScript. Anyone who visited the website in that period might have become a victim of the watering hole attack. The attack was in effect for a huge time period of five months.

An attack was reported by the Department of Homeland Security in the year 2018 when hackers were able to break into the control rooms and gained the power to potentially cause national blackouts. This was also a disastrous incident brought about by the watering hole technique.

A watering hole attack was executed on a US news website Forbes.com in the year 2014. The vulnerabilities of Microsoft’s Internet browser and Adobe Flash were exploited. The attack was on US defense contractors and financial service companies. It was believed to be the work of Chinese state organizations.

Fighting this invisible threat

The employees in an organization can be educated on how to deal with phishing by recognizing a mimicked URL, but the main problem is to identify a legitimate website whose content has been corrupted. However, by taking a few actions the organizations can reduce the risk of watering hole attack:

Removing vulnerable software

Though these attacks can be spread through a number of softwares, the most common ones used to target are Adobe Reader, Internet Explorer, and Flash. Removing or disabling these softwares from your device will decrease the posed threat.

Updating software on a regular basis

The attacker often makes use of zero-day exploits in software to carry out the attack. Keeping your software updated, especially the security patches can lower the risk.

Looking for any unusual behavior

Keeping an eye for any unusual instances will provide you even more protection. For example, if an employee’s laptop has shared some confidential business documents, then you must inspect the case for watering hole attacks.

Using two-factor authentication

The watering hole attacks initiate by stealing usernames and passwords. Using a second authentication factor will make the job of the attacker to break into your system a bit difficult.

These are just a means of reducing the probability of this attack, although, it cannot be prevented completely as the identification of the corrupt websites is not possible. However, it’s always wise to keep yourself aware.

_______________________________________________________________

Interesting related article: “What is Cybersecurity?