Waterholes are targeted Driveby sites. Here the attacker researches a target or target group to find out the sites they visit in the hope that they have security vulnerabilities. This information may be gleaned from the sector they’re in, the black market, information gathered in other attack or attacks on their ecosystem, through Social Media Leakage, or some combination depending on how persistent the attacker.
The attacker will test for any exploitable vulnerabilities in the webservers hosting these websites. They will then exploit those vulnerabilities to infect the server with malware that will be automatically downloaded to the targets’ machine or device (and potentially any other visitor’s machine) and infect them if they are vulnerable. It can also potentially infect other visitors’ machines if the attacker is not as sophisticated in only infecting machines coming from their chosen victim’s country/ip range etc.