“What are watering hole attacks” and “how to mitigate them” have been some of the most frequently asked questions people are looking to find answers to today. In this article, we will cover the definition of watering hole attacks, provide some real examples, and conclude with measures that can be taken to avoid falling victim to a watering hole attack.

Once the cyber criminals establish an individual’s favorite, trusted websites and sources of information, they investigate their vulnerabilities and how they can best be exploited for their devious ends.  They then start inserting malicious Javascript or HTML codes into your most frequented and trusted websites or recreate uncannily similar illegitimate ones after the cyber security weaknesses have been identified. The targeted users are then redirected to these sham, compromised websites where the malware or malvertisements are waiting to hook them with subsequent phishing and ransomware attacks. Consequences can be highly damaging through devastating data breaches costing millions as well as lots of negative PR and poor brand recognition for the company or organisation involved.

3. Real Life Examples of Watering Hole Attacks

3.1. The VOHO Affair

In this case, cyber criminals concentrated on legitimate websites in particular geographic regions which they believed would be frequented by organisations they wanted to attack and take advantage of. Users from the targeted organisation visited the fake watering hole website and through a malicious Javascript link were then redirected to an exploit site. This in turn checked the Windows OS and Internet Explorer of the victim’s computer before an “gh0st RAT” (a Remote Access Trojan) was installed to monitor areas of interest within that organisation collecting intelligence. The RAT malware can also have the potential to covertly infect and operate webcams and microphones.

It was discovered that in this particular campaign, websites related to finance and technology in the areas of Massachusetts and Washington D.C. were affected. It was reported that over 32,000 users visited the ‘watering hole’ site affecting 4,000 organisations across state, federal, educational institutions, defense and tech sectors.

3.2. Forbes

In 2015, attackers based in China used the watering hole technique to compromise the prestigious business website Forbes.com. Security Week reported that attackers took advantage of existing zero-day vulnerabilities in Microsoft’s Internet Explorer and Adobe’s Flash to create malicious versions of Forbes’ “Thought of the Day” feature. The Flash Widget was loaded every time someone visited a page of Forbes.com and then anyone with a vulnerable device was affected just by simply visiting while the campaign was running. Defense and financial service industries were particularly targeted by this watering hole attack.

3.3. Banks a favorite target of watering hole attacks

At the start of 2017, banks and financial institutions worldwide from Poland to Uruguay and Mexico were victims of a series of watering hole attacks that had become poisoned by cyber criminals wanting to lure innocent, trusting victims. Websites were found to be compromised with a code that would launch a devastating avalanche of malicious Javascript files from other breached domains, which hosted exploit tools that utilised Silverlight and Flash to distribute malware.

In the case of the Polish Financial Supervision Authority, a key victim of this watering hole attack, researchers found that its site had been compromised in October 2016, four months before the discovery of the breach. Fortunately, not all visits to the site were affected.

Users were targeted on the basis of a particular IP subnet and they were delivered the exploit kit and payload. The geographical locations of the IP addresses affected were primarily found to be banks from the US, Mexico, UK and Poland.

4. How to Defend against Watering Hole Attacks

To counter watering hole attacks, companies and organisations can take a number of preventive measures to adequately protect themselves from future malicious campaigns and their attacks.

Best practices involve a mix of the following:

• Regularly inspect the most visited websites by your employees for malware
• Prevent visits to all the compromised sites that you have discovered
• Set up your browsers and tools to let users know of bad sites with the use of website reputation
• Check all traffic from all third party and external sites and verify them before allowing your employees access to these sites

To help deliver verification and strengthen your cyber security posture, it is recommended that you have a multi-faceted approach which includes threat detection. Solutions such as Keepnet’s Threat Intelligence and Threat Sharing will allow you to protect your company or organisation.

4.1. Threat Intelligence and Threat Sharing

The Threat Intelligence module allows you to scan the web, looking for signs of suspicious activity which may cause potentially devastating breaches of your data security causing millions of dollars in clean-up operations. With the proactiveness of this module, you will be able to react quicker and shorten the period between potential data breaches and your defensive response so leading to a reduction in opportunities for fraudulent activity.

Keepnet™’s Threat Sharing is a highly important component of the cyber security arsenal. Instead of waiting to be a victim of a phishing attack, take preemptive measures to improve your cyber security defense. With such a platform, you can introduce an early warning system to provide inbox level incident responding, investigation and response. This allows you to react with maximum agility and so reduce response time as you no longer have to directly experience a malicious attack.

As soon as an incident occurs, the user reports this to their communities with whom this intelligence is then shared and triggers investigations through the Threat Sharing Community platform.

Use of such a threat sharing system will allow threat intelligence to be strengthened and expanded through a collective leveraging of knowledge in a network of communities built upon trust, reputations, shared goals and a willingness to protect their companies and the industries they work in.

4.2. Cyber Security Awareness Training / Information Security Awareness Training

Whatever systems you put in place against watering hole attacks or spear phishing attacks, they mean nothing if you do not have a cyber aware workforce well-trained in Information Security who are able to recognise threats and lurking dangers in the digital landscape.

With tools such as Keepnet’s Awareness Educator, you are able to improve your cyber security posture through enhanced education and cutting-edge Information Security training. This is integrated with their Phishing Simulator module to help engage your colleagues with suitable courses and phishing simulations to grow awareness of sophisticated phishing and other malicious cyber threats, which allows you to reduce future risk.

KEEPNET NINJIO is a cybersecurity awareness solution that uses engaging, 3 to 4 minute Hollywood style micro-learning videos to train employees and organizations to become defenders against cyber threats. KEEPNET NINJIO educate organizations, employees, and families against cyberattacks, making them the first line of defense against today’s advanced attacks.Try for free.