Watering Hole: The Latest Form of Cyberattack

There’s no limit to the creativity that scammers and hackers call upon to commit cybercrimes. With better awareness and detection of the current methods, criminals have to stay one step ahead in order to continue to target new victims. One of the more recently discovered forms of a cyberattack against businesses is the watering hole attack.

When you think of a watering hole in nature, it’s a place where a lot of different animals congregate in order to find water. If a predator wanted to hunt, it could simply come to the watering hole and watch for its next opportunity for a meal. It would be so much easier to hunt if the predator could fill the watering hole with a tranquilizer, causing all of the animals who drank from it to fall asleep.

That’s precisely how a virtual watering hole attack happens. Until now, hackers had to somehow install malicious software on their target’s computer network, using things like email attachments or links and hoping that someone within the company opened the email and downloaded the virus and that the company’s anti-virus software didn’t block it. Instead, hackers can now track a company’s daily web traffic (using the very same ad trackers that provide revenue to advertising companies), then poison the websites—or in this scenario, the “watering holes”—they visit.

Of course, infecting a major website isn’t easy, so hackers have to target smaller, less secure sites, like those that are highly specific to a certain business or industry. If your company orders its copier paper from Amazon, it’s highly unlikely that a hacker can target you by infecting Amazon. But if your business files daily sales reports with a small accounting firm by logging into their site, that might be an easier defense to break. All it takes is finding out which websites your employees use each day, then picking one whose defenses are the weakest.

There are several concerns with this kind of attack. First, you can’t “train” this out of your employees; more and more businesses are establishing computer policies that combat things like spear phishing, downloading files, or malicious link clicking, but in this case, the employees are visiting approved websites that are necessary for their work. Next, you have no control over the other guy’s website; if they don’t incorporate strong cybersecurity protocols, thereby allowing hackers to infect their site, you have no way of knowing about it.

The actual mechanism by which hackers take over your network is strange. Merely visiting the infected website—meaning, there’s no need to click or download anything—lets them scan your computer for vulnerabilities. If a security flaw is found on your end, then the website’s infected code inserts a harmful code into your computer, letting the hackers take over. That’s why it’s vitally important that you install software updates and security patches as they become available, along with keeping a strong, trusted antivirus software up-to-date and running.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Linking Your Phone Number to Your Account Carries Security Concerns

Pin It

Article Archives


ITRC Sponsors and Supporters 





Go to top


The TMI Weekly

Breaches here, identity theft there and invasions of privacy everywhere... Should you be worried and, if so, how can you protect yourself? Sign up now to receive The TMI Weekly and get the latest hot topics in identity theft, data breaches and privacy and helpful information on how to protect your information.