Watering Hole Attack

A Watering Hole Attack is a technique for compromising a specific group of users by placing malware on websites that members of the group are known to visit. It is similar to predators in the wild waiting near watering holes for unsuspecting animal herds to visit.

A Watering Hole Attack exploits a group's trust in the integrity of a trusted website. It can be an effective hacking technique to use on groups who are resistant to traditional phishing techniques. It can be difficult to achieve because it requires a double hack. The attacker must first identify and then hack a "watering hole" server, and then from there the attacker must hack the target. It is not common, but when it happens it is frequently successful because it is difficult to detect.

What makes a Watering Hole Attack distinct from the attack techniques it frequently uses, such as Drive-By Downloads, is that the attack is not against random users but is targeted against a specific group. The group is selected first and the watering hole and exploitation technique to be used is decided second.


In 2014, a group of Chinese hackers infected They appear to have been targeting users from U.S. defense and financial services firms. The hackers placed a malware infection inside "Thought of the Day" Flash widget which appeared upon a user's first visit to any page. The malware used two zero-day vulnerabilities—one for Internet Explorer, one for Flash Player—to attempt a drive-by download.

Watering Hole Attack Preventions

The preventions for a watering hole attack are similar to the preventions to drive-by downloads and other attacks. Keep all software up to date, and educate users. Monitor network traffic generally for suspicious activity, and monitor each user on the network for uncharacteristic behavior.

Fork me on GitHub