Social Engineering Technique: The Watering Hole Attack

They say the human being is the weakest link when it comes to security. You can have the best security hardware, software and policies in place to protect your organization or company from cyber attacks but it just takes one click on a phishing link that an employee has just received on their email account and boom, the whole organization is compromised and attackers gain access to the system. What do you understand by the term social engineering?

We will begin by a few definition of terms:

Social Engineering, in the context of information or cyber security, is the psychological manipulation of people into performing actions or divulging confidential information. There are various techniques used in social engineering such as phishing, vishing, baiting, scareware, spear phishing, pre-texting, whaling attacks among others. In this article we will focus on one specific social engineering technique called the watering hole attack.

A Watering Hole Attack is a social engineering technique where the attacker seeks to compromise a specific group of end users either by creating new sites that would attract them or by infecting existing websites that members of that group are known to visit. The goal is to swipe username and password combinations hoping the victim reuses them, or infect a victim’s computer and gain access to the network within the victim’s place of employment. The name is inspired by the predators in the wild who prowl near watering holes, waiting for the opportunity to attack a potential prey.

In a Watering Hole attack, the “predator” (Attacker) scheme on specific websites which are popular to its “prey” (target), looking for opportunities to infect them with malware making these targets vulnerable. In other words, rather than using a Spear phishing email campaign to lure victims, hackers infect vulnerable sites that share a common interest to their targets, and then redirects the victims to the attacker’s site or application which contains malicious content such as malware.

How does a watering hole attack work?

Watering hole attacks have been around for some time. Here are some notable examples of past attacks:

• In 2012, several sites were compromised, including the U.S. Council on Foreign Relations (CFR). The attack used the Gh0st Rat exploit and was known as the VOHO attacks.
• In 2016, the Canada-based International Civil Aviation Organization (ICAO)spread malware that infected the United Nations (UN) network.
• In 2017, Ukrainian government websites were compromised to spread the ExPetr malware.
• In 2019, many religious and humanitarian websites were compromised to target specific Asian communities.

Watering hole attacks are relatively rare, but they continue to have a high success rate because they target legitimate websites that cannot be blacklisted, and cyber criminals deploy exploits that antivirus detectors and scanners will not pick up. These supply chain attacks typically target high-security organizations through their employees, business partners, connected vendors and even unsecured wireless networks at conferences public events etc.

It’s important to also understand that these sophisticated attacks not only attack victim’s laptops through websites but also often include mobile apps for android and iOS devices as well. Therefore, watering hole attacks are a significant threat to organizations and users that do not follow security best practices.

How can you then prevent yourself and your organization from these watering hole attacks?

• Continuously test your current security solutions and controls to verify that they provide you with adequate defense against application and browser-based attacks.
• Ensure your security controls prevent criminal redirection, malware and rootkits from being successfully deployed.
• Make sure browser control and endpoint software is adequately tuned and that web content and security proxy gateways are well configured.
• Organizations should seek additional layers of advanced threat protection such as behavioral analysis, which have a far greater likelihood of detecting zero-day threats.
• Update systems with the latest software and OS patches offered by vendors.
• All third-party traffic must be treated as untrusted until otherwise verified. It should not matter if content comes from a partner site or a popular Internet property such as a Google domain.
• Educate your end-users on what watering hole attacks are by creating easy to understand corporate materials you distribute.

Conclusion

It is important to take into account all the best security techniques and practices in place in order to be cyber resilient and increase our own cyber-awareness. This would make the work of the attacker difficult in compromising accounts, systems and organizations. Let’s change the narrative of human beings being the weakest link, shall we!