Web security basics: Watering hole attacks VS phishing attacks

Computer users who are well versed with security threats know why and how clever phishing pages must be avoided. Clear signs help to identify fake phishing pages but what does one do against a “watering hole attack”?

What exactly is a watering hole attack?
A watering hole attack is a technique whereby users are profiled and the websites they visit are known by the attacker. Such websites are then infected with malware. Attackers compromise commonly visited websites to inject malicious JavaScript or HTML codes in order to redirect the victim to other malicious pages. On the victim’s machine, this effectively works like a zero-day attack.

In phishing attacks, masses of people are targeted simultaneously. For instance, phishing attacks are carried out against Facebook users or Gmail users. Phishing attacks are more widespread in nature and target a larger amount of people. On the other hand, watering hole attacks are narrowed down to target specific users only. So the infected websites are like a ‘watering hole’ where an attacker waits for his victims, like a predator waits for his prey. (Watering holes are depressions in the ground where water accumulates and animals go to satisfy their thirst. In jungles and wild terrains, predators wait for their prey to reach these watering holes and attack them.)

How does a watering hole attack work?
When a victim visits a compromised page, or the watering hole, his machine is scanned and checked for various requirements. If the web browser and the machine match these needs, he is sent to a malicious page that hosts malware infected code. In a scenario like this, unpatched operating systems, web browsers and out of date system protection software are highly vulnerable.

For instance, a watering hole attack will first ascertain which web browser a potential victim uses and the version of the browser as well. Then it will check if vulnerable programs like Adobe Flash or Java are installed. Subsequently, the system language of the machine will be found out. If any of these checks do not match, a blank page will be displayed. But if all the conditions are met, then a cookie is unloaded into the machine. Compromised machines are then targeted or redirected to infected websites or fake versions of legitimate websites.

In contrast to phishing attacks, watering hole attacks are aimed at people who visit websites that do not see heavy traffic. Websites that get a lot of visitors (like Facebook or Gmail) are more feasibly targeted directly with phishing attacks. Watering hole attacks also require plenty of prior research and work by the attacker.

With the rise in cases of cyber crime and cyberespionage, watering hole attack tactics are commonly used to target victims from specific industries like financial services, healthcare, defense, government, academia and utilities.

As precautionary measures, computer users are strongly advised to update the programs on their machine to the latest versions. They should also utilize an effective security solution and remain aware about the nature of threats that are present on the web.