3:00 min read
Human security risks happen because people are trusting, not because they’re incidentally fools. Phishing (email) and SMiShing (texting/mobile) attacks abuse trust, and employees need to be careful with every message they get. But what happens when a site, which they have every reason to trust, is subverted? That’s what happens in a waterholing attack.

The term “waterholing” comes from the expression “poisoning the waterhole,” perhaps from predatory animals lurking near a waterhole. Businesses with serious data protection requirements put a lot of effort into protecting their websites, but their people often visit websites that are less careful. Local stores, restaurants, and entertainment sites may be small operations that use weak administrative passwords and don’t patch their software regularly.

An attacker will find many of these sites easy to break into, thus making it possible to inject malware into a website. The aim is to take advantage of browser bugs and get access to the client’s computer. From there the attacker can get into the business network and steal data, or run ransomware and destroy files.

The attack is usually a targeted one. The attacker decides what business it’s attacking and looks for sites that its people are likely to visit. Probing enough sites has a fair chance of finding one that’s vulnerable.