Watering Hole Attacks

By NYU Global Office of Information Security |  Updated February 28, 2022

Cover Image

Tips on Outsmarting the Hackers

Although technology security experts are constantly devising new ways to protect computers, computer networks, and online identities, there are still a number of ways a potential attacker can attempt to illegally gain access to a person’s computer or an institution’s network. Recently, a number of companies—including Apple, Facebook, and Microsoft—have been targeted with something referred to as a “watering hole attack.” These attacks are often aimed at companies that are well known, and they target these companies in an indirect manner that uses a separate site as an attack vector. It is not an attack using the websites of these companies, nor on the users of those websites, but is instead an attack that targets entirely separate websites that might be frequented by employees of the targeted company. IT groups at NYU do a lot to keep the University’s servers and networks safe, and you can help by following the recommendations described below when you surf the Web, even at sites which appear to be innocuous.

Information security discussions are plagued with bad analogies, and none sounds stranger than a “watering hole attack,” which plays off the tactic in which predatory animals stalk food by waiting at a popular watering hole. Rather than hunt their prey, the predator will wait for the prey to come to it. Hackers are doing something very similar to gain access to systems that might otherwise be too well protected. Rather than relying on a phishing email campaign to lure victims, hackers are infecting less secure sites that are of everyday interest to their targets. For example, while the computer network of a certain corporation might be secure from hackers, the website of a nearby popular restaurant from which employees of the corporation frequently order lunch may be substantially less secure, allowing the hacker to obtain access to the true target—the corporation’s network—via an insecure website visited by employees.

How Watering Hole Attacks Work

A watering hole attack typically works in the following way (for an illustration, as well as more detailed technical information, see Trend Micro’s Watering Hole 101 article):

  1. The attacker gathers information about their potential victims and what sites they visit.
  2. The attacker injects an “exploit” (malicious code) into selected sites often visited by targeted victims. The injection will have malware, which then attempts to take advantage of any security vulnerabilities in the target’s computer or browser.
  3. Once the attack has circumvented the target network’s protections and used a third-party website to plant malware on a computer within that target network, an attacker can begin malicious activities.

While watering hole attacks cast a wide net and snare more victims than the attacker wants, these are still directed attacks. With “spear phishing“—email that attempts to convince a user to click a certain link or give up a certain piece of confidential data and is designed to look like it has come from a trusted source (using an official company logo, for example, or an authentic looking email address)—the user has to take some specific action to enable the attack, even if they have been fooled into doing it. With watering hole attacks, however, the user simply has to visit a website that is perfectly reasonable for them to visit. Watering hole attacks do not require the intended target(s) to be “socially engineered” (or tricked) into visiting a malicious or compromised site. All it requires is for a website of interest to the target group to be compromised, then the attacker can just wait for the target to come calling.

For an example of how a watering hole attack might impact a member of the NYU community, a student or staff member might frequently log on to a non-NYU website to do research, not knowing that it has been compromised by an attacker who is patiently waiting for someone to visit it. Once victims visit the compromised site, the exploit takes advantage of software vulnerabilities, either old or new, to drop malware onto the visitor’s computer.

Preventing a Security Breach

The first and most simple step to prevent a watering hole attack from succeeding and to protect the NYU network is to ensure you run timely software and operating system updates and patches offered by vendors. Both Mac and Windows operating systems can be set to regularly check for security updates and install them either automatically or with your approval. Additionally, if you have not already done so, you should download and install Symantec Endpoint Protection.

NYU IT teams take many steps to protect the integrity and security of the NYU network, along with the data that resides on it. Network scanning, quarantining of compromised computers, and suspension of hacked accounts takes place a daily basis. In addition, a variety of resources on how to recognize and avoid phishing scams, create secure passwords, protect restricted data, and other security best practices are available at the websites listed below. A shared network is a shared responsibility; taking the steps above and reviewing the links below will help ensure that you are following NYU policies and guidelines, and helping to protect our network as a whole.