top of page

Watering hole attacks – what are they and how to prevent them?

A watering hole is a waterhole from which animals regularly drink, right? True. Or a pub, bar or restaurant – any place where people gather socially, right? Also true. Well in the world of cyber security there is a third, which derives its name from the first two – a ‘Watering hole attack.’

The concept behind the watering hole attack is that in order to insert malware (malicious software) into a company, you must stalk an individual or group and place malware on a site that they trust (a “watering hole”), as opposed to in an email that will be quickly discarded.

Identifying a “Watering Hole”

It’s difficult to get malware onto the major sites most people visit like or, so attackers need to know which smaller, less-secure sites (i.e. watering holes) are frequented by employees of the targeted company.

But how does an attacker find what watering holes an entire organisation or company frequents and how often? And how can they capture this information without anyone clicking anything?

Tracking Services

Users unknowingly provide all of this information simply by surfing the internet as they normally do. When a user surfs the internet from their company these days, automated tracking methods used by marketing and ad tracking services identify traffic patterns and accesses. These tracking services silently capture all this information without users ever being aware their actions online are being followed.

This would seem to be harmless information (besides those annoying ads you must endure), but the tracking services are essentially mapping the behavioural web patterns of your entire organisation. This shows which sites employees frequent, and this information also allows attackers to deduce your company’s browsing and cloud services access policies. In other words, it tells an attacker which watering holes you let your users visit.

Setting the Trap

This gives the attacker/s a map of the sites to target for infiltration. They target the most vulnerable sites, smaller companies or blogs that don’t have strict security. They plant malicious code on the watering hole site. Once the trap is laid, they simply wait for users to visit the sites they have frequented in the past.

The probability of success is significantly higher for watering hole attacks since the attacker has used the tracking service’s data to confirm that traffic to the site is both allowed and frequent. When a user visits the site, the malicious code redirects the user’s browser to a malicious site so the user’s machine can be assessed for vulnerabilities. The trap is sprung.

The Actual Attack

Once the user steps in the trap by visiting the watering hole they are assessed for vulnerabilities. Using drive-by downloading techniques, attackers don’t need users to click or download any files to their computer. A small piece of code is downloaded automaticallyin the background. When it runs, it scans for zero-day vulnerabilities (software exploits discovered by the most sophisticated cyber criminals that are unknown to the software companies) or recently discovered exploits that users have not yet patched in Java, Adobe Reader, Flash, and Internet Explorer (that software update from Adobe may be important, after all).

The user’s computer is assessed for the right set of vulnerabilities and if they exist, an exploit, or a larger piece of code is delivered that will carry out the real attack. Depending on the user’s access rights, the attacker can now access sensitive information in the target enterprise, such as IP, customer information, and financial data. Attackers also often use the access they’ve gained to plant more malware into software source code the user is developing, making the attack exponentially more threatening.

Watering hole attack infographic - GoldPhish

What is the threat?

Watering hole attacks pose a significant threat, as they are difficult to detect and typically target high-security organisations through their low-security employees, vendors or an unsecured wireless network. They have been increasingly used by APT (Advances Persistent Threat) groups to access the networks of large companies and government agencies or political groups.

In 2014, a watering hole attack on US news site, which exploited vulnerabilities in Adobe Flash and Microsoft’s Internet Explorer browser, is thought to have resulted in further attacks against US defence contractors and financial services companies. The attacks were believed to be the work of Chinese state espionage organisations, according to cyber security services company iSight.

A watering hole attack was used by Chinese hackers to steal intellectual property and industrial trade secrets from US aerospace contractors. In October 2018, US federal prosecutors accused Chinese government intelligence officers of repeated computer intrusions to steal turbofan jet engine designs.

How to Prevent Waterhole Attacks?

Update your software Watering hole attacks often exploit bugs and vulnerabilities to infiltrate your computer, so by updating your software and browsers regularly, you can significantly reduce the risk of an attack. Make it a habit to check the software developer’s website for any security patches. Or better yet, hire a managed IT services provider to keep your system up to date.

Watch your network closely To detect watering hole attacks, you must use network security tools. For example, intrusion prevention systems allow you to detect suspicious and malicious network activities. Meanwhile, bandwidth management software will enable you to observe user behaviour and detect abnormalities that could indicate an attack, such as large transfers of information or a high number of downloads.

Hide your online activities Cybercriminals can create more effective watering hole attacks if they compromise websites only you and your employees frequent. As such, you should hide your online activities with a VPN and your browser’s private browsing feature.

At the end of the day, the best protection is staying informed. As cyberthreats continue to evolve, you must always be vigilant and aware of the newest threats. Tune in to our blog to find out about the latest developments in security and to get more tips on how to keep your business safe.


CybACADEMY courses powered by GoldPhish® educates employees on the cyber risk and helps build a more secure organisation with awareness training.



bottom of page