What is a watering hole attack and how is it executed?

The term watering hole attack refers to the tactic by which, predators wait in the watering holes for their victims to show up, so they can attack them more easily.

In computing context, a watering hole attack is a type of cyber attack where hackers make a profile of their victims. After watching them very carefully for a while, and collecting information about their habits, they can find out which websites their victims visit on a regular basis (like for example the weather forecast site, a newspaper or a flight searcher).

Once hackers know their victims, the next step of a watering hole attack is to identify the vulnerabilities of those pages to inject malicious code into the ads, banners, etc. displayed on them.

As a result, when users access these websites, a script is automatically executed (or a malware piece is downloaded) infecting users´ devices.

Why do hackers choose this type of attack?

Due to the use of trusted sites as infection points, these attacks often go unnoticed.

What is the profile of the victims?

Hackers are generally not interested in home networks, but in employees. By deceiving employees, they can gain access to the corporate network and, therefore, to confidential and/or strategic information.

How can a watering hole attack be avoided?

The fact that hackers choose trusted sites, not included in the blacklists, together with the use of zero-day exploits, makes it very difficult for traditional and reactive tools such as antivirus firms or categorization tools, to detect these attacks before it  is too late. The only way to prevent this or any other type of web-based malware attack is by using the web isolation technology RITech. As mentioned in previous posts, its proactive approach allows the “good guys” to be one step ahead of the “bad guys” for once.

Thanks to RITech, companies and governments will no longer have to worry about whether a legitimate site has stopped being in the last 24 hours, or whether their antivirus is reporting false positives or false negatives. Attacks will continue to happen, but the “bad guys” will never be able to enter these isolated environments and, therefore, reach users´ devices.

Follow us on Twitter and LinkedIn to keep up-to-date with the latest news.