Skip to content

What is a Watering hole attack and how is it carried out?

  • by
  • 4 min read

Watering Hole is cyber-attack where the hackers compromise a set of websites which the target group is known to visit more often. The attacks are often against big businesses and organisations such as defence, banks, or even Human right groups. The plan is simple — to insert malware on the websites that the employees of a company visit and through that gaining access to the internal networks of the company.

The nomenclature, watering hole, is derived from the tactics which the predators use to catch the prey. When prey comes near a watering hole, which is a place where the water gets collected, the predator attacks the prey. Similarly, the hackers target only those websites which the victim visits regularly.

Nart Villeneuve is credited to document the attacks as early as 2009. The attacks are more dangerous as they are based on credible data, which hackers use to profile and then target the victims. Recent examples of the attacks include attacks on the International Civil Aviation Organisation, Polish Financial Supervision Authority, United States Department of Labour, US Council on Foreign Relations as well as on Forbes website, among others.

Also read: What is a Credential-based cyberattack?

How does the attack work? 

What is Formjacking? How it works and how to protect yourselfThe attack has several steps, as mentioned below.

Victim profiling

The attackers select a group of persons that they will target. The group or a single individual usually will be someone high in the company hierarchy. Target identification is level 1 of the attack.

Identifying the websites which the target visits

It is challenging to insert malware into major websites, such as Youtube or Facebook. So, to continue with the attack, the hacker will need small and less secure sites, which is easy to find — thanks to marketing and ad agencies.

As we have previously covered in the article on adware, the ads that we get on the websites, apart from being irritating, are also gathering our data including credit card numbers, username, passwords, among others. The information collected is then used to map the habits of the customers.

Hackers need access to that data, and through that, they can quickly pinpoint which websites the target likes to visit.

Inserting the malware

Now, the hackers plant malicious codes into less secure but frequently visited websites or blogs. Since those websites have less security, the attacker can insert malicious JavaScript or HTML codes. The malware directs the victim to another malicious site, and the system is compromised.

Finding vulnerabilities 

When the user opens the malicious links, hackers assess the victim’s device for any vulnerabilities. Hackers can prompt users to download malicious files, or the code is downloaded in the background without being detected.

The malware can be used for a zero-day exploit or can target unpatched applications.

The attack

Once hackers get hold of the loopholes present in the victim’s device, then they will carry out the real attack. The attack can be to access confidential information like financial records, sales records, among others. Such attacks are detrimental to the company and can even affect national security if targeted on defence establishments. The attackers can also delete sensitive information, which in turn can affect the revenues of the company.

Also read: What is code-signed Malware and ways to protect your device

How to protect yourself? 

Why is Cyber Security important? 5 tips to protect yourself
Photo by Nicole De Khors from Burst

There are various ways by which the users can protect themselves from being the victim of a watering hole attack. The methods are as follows:

  • The users should timely update the software and applications.
  • Companies and enterprises should monitor suspicious web traffic.
  • Companies should implement robust firewall mechanisms that will block suspicious websites.
  • The organisations should educate their employees about the current security threats along with possible mitigation techniques.
  • Big data analytics can be used by the organisations to coordinate and correlate activities happening around the world, and then concrete action plans should be built accordingly.
  • Organisations should document all the previous attacks on their networks for future learning.

Also read: What is a Whaling Cyberattack? How is it different from Phishing?

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: