Watering Hole Attacks – CompTIA Security+ SY0-501 – 1.2

If your network is secure, the bad guys might try to find an opening at the local watering hole. In this video, you’ll learn about watering hole attacks and how some real-world watering holes were poisoned by the bad guys.

<< Previous Video: Hoaxes Next: Principles of Social Engineering >>


Let’s say you’ve been working on security on your network. You’ve made it very secure. You’ve even set up your computers so that if somebody found a USB key that was lying in the parking lot, they would not be able to plug it into the computers and infect anything that’s on the inside of your network. You’ve set up a secure firewall. You have an intrusion prevention system. There’s no way that anybody from the outside can get into your network.

And the bad guys realize this as well. Nobody’s responding to their phishing e-mails. Nobody’s clicking on the links inside of email attachments. You have built the perfect security inside of your organization. So the bad guys, instead of trying to attack you, they’re going to try to attack somebody that you visit. This is called a watering hole attack. And now you can do a little bit of research, find out where people within your company like to go on the internet, and then go to infect those locations.

One way to do this is to find out where people are going. You can take an educated guess. Find the local coffee shops or sandwich shops– maybe that would be a place to start infecting to gain access to the people that are inside of your building. Maybe there are sites that are very focused on your industry. They know somebody inside of your building is going to visit that site eventually. Instead of now sending the phishing email to you, the bad guys are going to send the phishing email to that third party site that you visit to infect them through email attachments, through a vulnerability in their site, but find some way to infect their website.

Of course these infections at the coffee shop or the sandwich shop are affecting everybody who visit the website, but that’s OK. The bad guys are simply going to wait until you visit the watering hole, and at that point they’re going to infect those people that are visiting, and now they have access to the inside of your network.

A good example of an actual watering hole attack occurred in January, 2017, and it occurred at the same time in different places around the world. The Polish Financial Supervision Authority was infected. The National Banking and Stock Commission of Mexico was infected, and a state-owned bank in Uruguay was infected. They knew that people would be visiting those locations from other banks and other financial organizations. And now that they have infected the watering hole, they were also able to infect people that were visiting the watering hole.

For this particular example, there were malicious JavaScript files that were installed onto these web servers, and they narrowed their focus to only provide the malicious JavaScript files if the people visiting that site were from some very specific IP address ranges. Although there were machines that were blocked from this malicious tact, there were devices that did manage to get infected. We aren’t quite sure exactly what the extent of that infection ultimately resulted in, but it was a very good example of a well-honed attack occurring simultaneously across a very large geography.

In IT security, a watchword is defense in depth. You want to be sure to have as many different ways to identify and stop these attacks as possible. You never rely on any single type of security. Instead you layer them one on top of the other. You want to be sure you have a good firewall, a good intrusion prevention system, so that if something is coming through the network, you can stop it right there at the edge. And of course, make sure that you always have your anti-virus and anti-malware software installed. Make sure you always have your signatures updated. One good example of this is with the Polish Financial Supervision Authority attack. They had anti-virus running. They had updated their signatures, and the malicious JavaScript was stopped because they were running the latest version of the Symantec Antivirus.