drive by download

You may think you’re security savvy by never clicking on untrusted links and refusing to execute suspicious downloads, but you may still be vulnerable to drive-by download attacks. These online menaces can infect your computer or device without even a single click.

Drive-by downloads can load themselves onto computers without the user’s knowledge. They are often the first step in multi-stage attacks, able to subtly bring other, more vicious malware onto a victim’s computer. Ultimately, these attacks can end up wreaking havoc in a range of ways, from spying to intellectual property theft, to extortion via ransomware.

What is a drive-by download?

Drive-by downloads are unintentional and generally malicious downloads. They fall into two main categories:

Without the user’s knowledge

In these cases, the user doesn’t realize that anything has been downloaded. These non-consensual downloads typically take advantage of vulnerabilities in a user’s operating system, apps, browser, plugins like Flash, or in the complexities of JavaScript.

Sometimes attackers may take advantage of zero-day exploits. However, the bulk of these attacks are made possible because users have a tendency to operate outdated browsers and plugins that haven’t been patched over with the latest security updates.

This is the type of attack that most people think of when they hear the term drive-by download because victims can get infected without even stopping to click. It’s as if they get hit even though they’re just driving by the web page.

Without the user’s full understanding

Drive-by downloads also work their way on to computers and devices by tricking users. One technique involves attackers dressing up a file as something that it isn’t. A user may accidentally install malware or a fake program under the assumption that they are downloading legitimate software.

A good example of this is when attackers set up notifications that look like they come from legitimate antivirus programs. These scare users into thinking that they have a virus, prompting them to take action to remove it.

The real danger comes when users follow the directions. The virus notification is just a sneaky tactic, and the supposed remedy ends up downloading malware onto the victim’s computer.

While users may have actively chosen to install the file, they did so without any awareness of what it truly contained. This is what gets this tactic placed under the category of a drive-by download.

A similar tactic involves exploiting a user’s lack of technical knowledge to trick them into downloading something they don’t need. While the user may have chosen to execute the download, they have done so without informed consent, which can often lead to unintended and harmful ramifications.

Malicious code can also be secretly bundled up in a package that the user does want to download. In this scenario, the user downloads the legitimate program and it appears to work fine. Unbeknownst to them, a drive-by download has been included in the package, and it could be working to infect their PC while the user goes about their business normally.

Many may not consider this second type a drive-by download at all. They have a point, because the attack involves direct user action, even if the action is taken without fully understanding the consequences.

Despite this disagreement, we will cover both types in this article to be thorough. This approach will also ensure that you aren’t confused when you come across references to the second type of drive-by download elsewhere.

Why do attackers use drive-by downloads?

In the most dangerous cases, cybercriminals use drive-by downloads as a means to load target computers or devices with other forms of malware. Drive-by downloads are effective because they can slip on to computers unnoticed, giving adversaries a foothold for further attacks.

Once the drive-by download has made its way onto the target, it will often contact a server to download other malware. The ultimate goals of the attacker may include:

  • Spying and gathering data for further attacks
  • Acquiring data that can be sold on darknet marketplaces
  • Penetrating further into systems, networks or accounts
  • Various types of financial fraud and identity theft
  • Recruiting the device as part of a botnet
  • Ransomware
  • Adware

As you can see, drive-by downloads are a starting point for a wide range of attacks that can be used to devastate the victims. But how do they end up infecting victims in the first place?

How do drive-by downloads end up on your computer?

You can come across drive-by downloads in your inbox or by browsing online. Email-based attacks generally trick users into downloading malicious attachments or include links that send them to dodgy websites where the attack is initiated.

When visiting websites, you can fall victim to drive-by downloads through the website itself, or the ads that it carries. Even prestigious websites like the New York Times and the BBC have been known to host ads that infect visitors with drive-by downloads (this is discussed in more detail in the 2016 campaign section below).

Hackers may pay to host malicious ads on websites, or they may compromise ad networks, as a means to target victims. Both approaches are dubbed malvertising because they abuse advertising systems to spread malware. It’s possible to serve malicious ads on any site, but it’s much more common on the shadier parts of the web, such as illegal file-sharing and streaming platforms, online gambling sites, and pornography pages.

Alternatively, malicious content can be served directly from the website itself. This strategy generally takes advantage of security vulnerabilities found in outdated software. Common culprits include:

  • Outdated browsers, such as old versions of Internet Explorer, Opera, Firefox or Chrome.
  • Unpatched plugins like Adobe Flash or Microsoft Silverlight.
  • Old versions of Windows or other operating systems.

Attackers often take advantage of this outdated software by hiding malicious code in iFrames with JavaScript, then using a series of redirects to load malware onto suitable targets. They may also use JavaScript to take advantage of cross-site scripting (XSS) vulnerabilities. More serious vulnerabilities may even allow them to hide their exploit kit directly on the page.

Hackers may compromise legitimate websites and insert code to infect victims, or they may even specifically set up websites for their campaigns. In the second instance, attackers commonly tailor their sites to target a certain audience, in what is known as a watering hole attack.

What happens when a user encounters a malicious drive-by download?

Before we get into drive-by downloads, let’s first discuss how attacks generally lead up to them. A common scenario involves a user coming across a malicious landing page, whether by clicking on it directly or by being redirected through malvertising. From this point, there is a wide range of variables as to how the attack can progress. It depends both on the objectives of the attacker and their sophistication.

Social engineering

On the simpler end of the scale, attackers may use social engineering to try and trick users into actively downloading a supposed antivirus program or a system update. Under this type of attack, victims are often deceived into directly downloading a Trojan or other malware.

In these situations, the initiation of the attack can be considered a drive-by download, based on our second definition of a user installing software without their full understanding.

This download may give the attacker backdoor access, allow them to steal sensitive data, or give them an avenue through which they can load other devastating software, such as ransomware.

Exploit kits

Alternatively, the victim may end up on an exploit kit landing page. An exploit kit is essentially a pre-packaged collection of exploits and tools that can attempt a range of different attacks to try and infect targets. Attackers don’t necessarily need much technical expertise to use them and they can be purchased on the dark web.

Some of the most common exploit kits include Spelevo, Fallout, Magnitude, RIG and GrandSoft. For the most part, they take advantage of vulnerabilities in old versions of Internet Explorer and Flash.

Rudimentary exploit kits will cycle through every exploit in their package, in the hopes that one of them can penetrate the victim. This approach isn’t sophisticated and can be detected relatively easily. However, it can still succeed against those who are using outdated software. In these cases, the security vulnerabilities allow the attack to be initiated via our first type of drive-by download, attacks that users are unaware of.

More advanced exploit kits will begin by fingerprinting potential targets for suitability. This process involves scanning the user’s configuration, which operating system they are using, their browser, plugins and which versions they have installed.

Fingerprinting may also examine the user’s IP address, allowing attackers to specifically target or exempt potential victims based on their geographic region.

The fingerprinting process allows attackers to filter for appropriate targets. Sophisticated campaigns separate suitable victims according to which mode of attack their setup makes them vulnerable.

Fingerprinting can also attempt to detect network tools and virtual machines – if these are spotted, the kit won’t launch an attack against the target. This helps hackers to evade security researchers and their traps.

If targets aren’t deemed suitable for an attack, they may be passed over and spared from the potential repercussions. Alternatively, if a user has the latest security updates that patch over the desired vulnerabilities, they may be redirected to another landing page that uses social engineering attempts (such as the you have a virus, download this tool to protect yourself scam) to try and convince them to actively download malware. This technique was seen in a campaign that used the Fallout exploit kit.

Attackers may do this if they don’t want to pass up a potential victim. Those with the latest security updates generally aren’t vulnerable to most of the exploits in these kits (excluding highly sophisticated attacks that use zero-day exploits. These are exploits that have yet to be discovered and patched by the security community). Instead of letting a potential victim go, attackers may as well try one last technique, even if the chances of success are relatively low.

When the fingerprinting process comes across candidates who are vulnerable to various exploits contained within the kits, they are then redirected – often multiple times – to a landing page containing malicious code that can take advantage of the appropriate security vulnerability. This is where the drive-by download occurs, often through JavaScript.

The landing page code and exploits are generally obfuscated to increase their chances of success. The exploit may even be encrypted and need to contact the attacker’s backend server for a key that decrypts the code, in order for the attack to progress.

From this point, there are many ways that attacks can move forward. These campaigns generally involved a range of carefully crafted and complicated techniques that aim to progress the attack without being detected.

As a rough outline, exploit kits will generally take advantage of a vulnerability, then perform a number of steps that work toward secretly downloading a payload. This could be ransomware, spyware, crypto mining software or malware that recruits the computer into a botnet. It all depends on what the hacker’s aims are.

Ultimately, if the attack succeeds, the victim ends up with significant problems, even if they don’t initially realize that they have been hacked.

Drive-by download examples

Drive-by downloads can be used in a diverse range of circumstances, often leading to devastating consequences for the victims. Below is a collection of recent campaigns that involved drive-by downloads in some stage of their attack strategies:

Lurk

The Lurk cybercriminal group were one of the most prominent early adopters of drive-by downloads. Alongside other techniques, the group went on a spree that ultimately ended up netting them $45 million in stolen funds. However, the group’s activities were brought to a halt in 2015 when fifty of its members were arrested by Russian authorities.

One of Lurk’s common attack vectors involved injecting malicious iFrame content into popular Russian websites. This allowed the group to exploit web browser vulnerabilities through drive-by downloads. Site visitors would be redirected to malicious websites and fingerprinted to determine if they were appropriate targets. This verification process was ephemeral and executed in-memory, helping to hide the footprints of the attack.

The group would then load malware on to appropriate targets. These were mainly Russian banking apps, through which they could easily steal funds. The Lurk gang was incredibly careful in covering its tracks, only attacking specific targets and using evasive techniques to avoid sandbox-based detection.

After a campaign that lasted for several years, a number of small mistakes eventually caught up with Lurk. Collectively, these allowed security researchers and the Russian authorities to piece together who was responsible, leading to the arrests.

2016 campaign

In 2016, one of the largest drive-by download campaigns of recent times struck a range of high-profile publishers. Among the affected websites were MSN, the New York Times, the BBC, Comcast’s Xfinity and the NFL. These websites have between millions and billions of monthly visitors each, so we aren’t talking about small-time players here.

Each of these sites were using seemingly legitimate ad networks that were compromised by the attacker. The prominence of these and other sites allowed the hacker to push malicious ads to a large number of innocent site visitors. These ads then redirected them through two malvertising servers. The second server loaded the Angler exploit kit to victims.

The Angler exploit kit was considered a highly advanced set of tools in its time, having initially been developed by the above-mentioned Lurk group for their own use, then eventually rented out to other cybercriminals. However, since the mass arrests against the group, the Angler exploit kit had fallen out of use.

The Angler exploit kit could exploit vulnerabilities in Microsoft Silverlight, JavaScript, Adobe Flash and other common software. It could then be used to load a wide range of malware onto the victim’s computer, according to the needs of the hacker.

In the 2016 campaign against the high-profile publishers, the Angler exploit kit was mainly used to infect targeted computers with the Bedep Trojan and TeslaCrypt ransomware. Bedep opens up a backdoor that can be used to download other malware, while TeslaCrypt locks down a user’s files until they pay a ransom. Even if the victim does pay, it isn’t unusual for the attacker to never send them the key that unlocks their files.

While the bigger publishers were relatively quick to take the malicious ads down, it’s possible that the campaign ended up infecting tens of thousands of users.

Patchwork

Patchwork is a cyberespionage group that mainly focuses on Asian targets, although it’s also been involved in both the USA and Australia. The group also gets referred to as Dropping Elephant and Chinastrats, and the best guesses assume that it is either an Indian group, or has interests that align with those of India.

It originally focused its efforts on government and diplomatic agencies, but shifted its targets to also include businesses. While Patchwork isn’t necessarily known for the most cutting-edge attacks, it rotates through a large roster of existing techniques to spy on its victims. According to Trend Micro, the group’s tactics indicate that it targets “mission-critical or confidential data”, rather than focusing on purely financial motives.

Among its many tactics, Patchwork set up a fake version of Youku Tudou, which is essentially the Chinese version of Youtube. The dodgy website would urge visitors to download a supposed Adobe Flash update, which turned out to be malicious software that the attackers used to mount further attacks.

This technique falls into our second category of drive-by downloads, those in which the user is manipulated into actively running the malicious download. While they may have made the click, they have done so without full knowledge of what it was or its possible repercussions.

Eris Ransomware

In July of 2019, a security researcher who goes by the handle nao_sec discovered that drive-by downloads were used as part of an attack that delivered the Eris Ransomware to victims. The attacker set up a malvertising campaign through the PopCash ad network that redirected users to the RIG exploit kit, a renowned piece of code that can gain a foothold through the likes of JavaScript, Flash or VBScript.

In this particular campaign, the kit attempts to exploit a browser Shockwave vulnerability. If it succeeds, it downloads and installs the Eris Ransomware, which then encrypts the victim’s files and demands payment for the key to unlock them.

This attack can end up costing a user significant sums of money to unlock their files. It can even restrict access permanently if the attacker refuses to send the key, making them unusable. And this attack can do it all without ever requiring a single click from the victim.

See also: Ransomware statistics

GreenFlash Sundown

In June 2019, researchers from MalwareBytes began to notice a spike in drive-by download attacks that were traced back to the ShadowGate group. ShadowGate is a renowned team of hackers known for focusing on South Korean targets.

The attacks relied on the GreenFlash Sundown exploit kit and were spread through through self-hosted ad servers running Revive Adserver. The most notable site to be compromised was onlinevideoconverter.com, which converts YouTube videos into downloadable files.

When a user comes across the drive-by download, ShadowGate’s technique begins by fingerprinting them at the network level. This allows the group to only target users from residential IPs, rather than those coming from VPNs and other services.

The attack follows up with a PowerShell script that probes for information about the potential target’s device, including its operating system, hard disk, video card, any antivirus software and user names.

Appropriate victims are then redirected through a fake GIF image that contains obfuscated JavaScript. It redirects through a series of sites that end up using a Flash exploit to deliver a malicious payload.

It loads a triple threat of the Seon ransomware, the Pony botnet and cryptomining software onto the victim’s computer. This locks down the victim’s critical files, so that ShadowGate can attempt to make money through ransom payments. The group can also leverage the new bot as part of their swarm in future attacks, while taking advantage of the target’s processing power to mine cryptocurrency.

The good news is that it’s relatively easy to protect against ShadowGate’s latest campaign. Its attack targets Windows systems that run old versions of Flash. All users need to do prevent this attack is to make sure that Flash is up-to-date.

As general security advice, they should also have their operating systems, browsers, plugins and other apps up-to-date as well. Running the latest security patches helps to prevent the overwhelming majority of less-sophisticated attacks.

Maze

In October,  nao_sec discovered the Spelevo exploit kit being used in a new drive-by download campaign that spread the Maze ransomware. Maze is a variant of the ChaCha ransomware, first found by Jérôme Segura back in May.

In the original campaign, Segura found that the attackers had set up a fake website for Abra, the cryptocurrency investment application. They also purchased ads that redirected to the malicious site. When users clicked on these, their operating system, browser and plugin information was fingerprinted.

When appropriate targets were found to be vulnerable, the May campaign was redirecting them to the Fallout exploit kit, while the October campaign sent them to the Spelevo exploit kit. The Spelevo exploit kit leverages a vulnerability in outdated versions of the Flash plugin, then uses arbitrary code execution to install the Maze ransomware.

Once the ransomware is executed, it scans the compromised system for potentially valuable files, encrypting them with the ChaCha20 stream cipher and RSA. Maze then creates a ransom note that leads to a TOR website, where victims can pay to have their files unlocked.

The TOR site states that the ransom automatically doubles after one week, and there is also an online decryption interface that allows victims to test whether decryption is possible on several of their files. It is not known whether the attackers actually forward the decryption keys once payment is made.

Drive-by downloads & smartphones

It’s not just computers that are vulnerable to drive-by downloads. As the user market has gone mobile, so have hackers, and they have been devising cunning campaigns to try to infect devices as well.

By design, mobile setups are more secure than your typical Windows configuration. Smartphone platforms are much more restrictive, limiting what users can do, as well as how easily they can screw up.

If users keep their default security settings and make sure their operating system and apps are always updated to the latest version, they should be relatively safe from malware.

Those who have jailbroken (iOS) or rooted (Android) their phones face significantly greater risks. Although the privilege escalation from jailbroken or rooted devices offers additional functionality, it also makes it easier for malware to infect devices. This is because mobile malware tends to need this level of access in order to take action.

Mobile attack scenarios

Vulnerable users come across malicious links on webpages, text messages, or emails. They may also encounter ads and popups that trick them into initiating downloads. One of the most common examples of this involves ads that mimic a phone’s incoming call button.

These are especially sneaky campaigns because most people don’t think much before they answer their phone. They notice an incoming call and they immediately pick up their phone, without taking any time for closer examination. Attackers know this and take advantage of the automatic reaction to trick their targets into running malware.

In this scenario, a user will think they are answering a call, but they are actually loading a drive-by download. The attack proceeds by attempting to exploit vulnerabilities in the mobile browser. If successful, the campaign moves forward by essentially jailbreaking or rooting the device.

This is because the normal mobile ecosystem prevents devices from downloading apps through websites in a straightforward manner. Unless the device is jailbroken or rooted, apps have to be downloaded through the app store.

Once this has been done, hackers may escalate the attack by installing other malware on the victim’s device. They may spy on the user, make them a slave in a botnet, or use the device’s resources to mine cryptocurrency.

Ks Clean

One example of a drive-by download campaign that targeted mobile devices was the kskas.apk malware. It was found spreading through ads on a forum called Godlike Productions. When vulnerable users encountered the ad, it would use exploits to download an Android package, kskas.apk.

From within the app menu, the malicious download would appear as a cleaning app for Android, called Ks Clean. Once it had been installed, it would show a fake system update, much like the virus or system warnings that we mentioned earlier in this article.

The user only has one option, OK. When they click it, another APK called Update is installed. It then asks for admin rights and registers as an Android receiver, which prevents the rights from being rescinded.

This process also grants the app a range of permissions, including the ability to download files without notifying the user, and permission to display on top of other applications. This leads to intrusive ads showing prominently on the home screen, and leaves the device vulnerable to escalating attacks.

The growing threat of drive-by downloads

Drive-by downloads have become a more prominent threat in the past few years for two major reasons. One is the rise of pre-packaged exploit kits that allow hackers to launch sophisticated attacks, even if they don’t have much of their own technical skill.

Just like the rest of the software market, you can even get exploit-kits-as-a-service. Hackers can access ready-made crime campaigns without having to establish their own infrastructure or write their own code.

In addition to how easy these hacking services are to use, the modern browsing environment has also become incredibly complex. Browsers have a lot going on, especially when you consider the range of add-ons, such as extensions and plugins that increase the attack surface.

Each of these needs to be regularly updated, as does the browser and other software. With so many updates to attend to, it’s easy for some to slip by. When this happens, attackers can abuse the lapses and tailor attacks that exploit these software vulnerabilities.

Preventing drive-by downloads

While drive-by downloads may seem terrifying, the good news is that you can drastically reduce the risks you face with a few simple steps.

Keep everything updated

In most cases where drive-by downloads infect targets without any user action, they accomplish it by exploiting security vulnerabilities in old versions of software like Internet Explorer and Flash. These threats are easy to mitigate, but not enough people take the steps to do so.

One of the security community’s biggest battles is in convincing people to update their operating systems, browsers, add-ons, apps and every other piece of software as soon as patches are made available.

Many people don’t realize that updates aren’t just a collection of annoying changes and the addition of new features that they probably don’t need. Updates also act to plug up recently discovered security holes.

When vulnerabilities that allow hackers to circumvent the normal security measures are first discovered, they are known as zero-day exploits. If white-hat hackers or other well-intentioned parties are the first to find a zero-day exploit, they can secretly let the developers know about it. The developers can then issue an update that patches the hole, preventing criminals from exploiting it.

If bad actors are the first ones to discover a zero-day exploit, they generally choose to take advantage of it rather than report it through the appropriate channels. This gives them a window of opportunity to exploit the vulnerability and commit crimes.

While zero-day exploits are certainly a threat, they are a relatively minor concern for the general public when compared to attacks that leverage known vulnerabilities that already have patches available. As an example of just how pervasive this issue is, a 2019 Avast survey of 163 million computers found that 55 percent of programs are out-of-date.

This means that users frequently run old versions of software with known vulnerabilities, even when solutions are readily available. In cases where vulnerabilities are publicly known, hackers know about them too.

They also know just how common it is for users to neglect their security updates, so they work furiously to add exploits that take advantage of the latest vulnerabilities to their attack campaigns.

This gives them a huge pool of vulnerable users that are easy to hack. Users who don’t install the latest security patches are essentially leaving their doors open, inviting hackers to commit a range of different crimes.

To combat this huge threat, users need to be installing updates as soon as possible. They can do this manually, but it’s easy to forget or ignore them, resulting in opportunities for attackers to strike. The best solution is to set software to update automatically wherever possible.

Limit your attack surface

The greater the number of programs and add-ons you have, the more you have to manage, which increases the chance of problems occurring. If you only have three plugins, it’s relatively easy to keep them updated. Even if you lag behind and let a third of them slip by, it means there is only one outdated plugin that hackers can potentially take advantage of.

If you have thirty plugins installed and let the same percentage lapse, that gives hackers 10 different opportunities to work with. The best approach is to only install add-ons and other software that you really need and to thoroughly vet them beforehand. You should periodically go through and get rid of any that you are no longer using because they simply add needless risk.

Avoid shady websites

While drive-by downloads are occasionally found on reputable websites, they are far more common in the depths of the internet. This is especially true for sites that host illegal content, but it also happens on smaller websites that don’t have the knowledge or resources to actively address their security issues.

If you want to limit the possibility of exposing yourself to drive-by downloads, you should act cautiously whenever you are browsing online. It’s best to stick to legitimate sites that are more proactive about their security, and away from any dodgy or otherwise suspicious websites that could do you harm. If you have any doubts about a particular link, it’s probably best to try and find what you are looking for on a site that you trust.

On an organizational level, it may be best to use site-blocking software to restrict employees from visiting the more dangerous parts of the web. Just make sure that the restrictions aren’t too severe, to the point where important sites are blocked, getting in the way of everyday work tasks.

Be skeptical of popups & ads

You need to be aware that the internet is full of potential dangers and hazards, with hackers constantly trawling around and finding new ways to commit crimes against you. With this in mind, it’s important to recognize that many seemingly legitimate popups or ads could be sophisticated attempts to infect your computer with malware.

If you ever see a notification telling you that you have a virus or that you need to make system changes, the first step is to make sure it isn’t coming from your web browser. If it is, it’s probably an attempt at tricking you into a drive-by download.

You can confirm whether it is by checking to see if it goes away when you don’t have any browser windows open. If it does, it’s definitely not a legitimate virus notification.

You may see similar warnings outside of your browser, but these would not be drive-by download attempts. It’s likely that you have somehow ended up with scareware installed on your PC, and it is using similar social engineering techniques to try and trick you into downloading more malware.

To figure out whether it’s a legitimate notification, take a look to see if it’s coming from the antivirus solution that you normally use on the computer. If it has another brand or name, then it’s probably just a scam.

You should also be on the lookout for malware that impersonates the antivirus brand you normally use. You can usually tell impostors apart because the interface may be slightly different, rougher, or it may include spelling errors.

Popups and ads can easily manipulate us with a number of similar techniques, whether they are supposed system updates, fake warnings to take action, or other crafty schemes. In each case, the hacker is just trying to scare you into installing more malware.

Watch out for email links and attachments

Email is another threat because links that you click on can lead to landing pages that host malware, while any attachments that you open may also be malicious. You can limit your risk by always treating your inbox with a small amount of paranoia.

Never click on links or attachments from people that you don’t know, and be wary of strange emails that come from those that you do know. Their email account may have been compromised and used to spam others.

Email filtering is another good solution because it can stop many malicious emails from ending up in your inbox in the first place. You can’t be tricked by an email that you never see.

Ad blockers

Another protection measure is to run an ad blocker such as uBlock Origin, or one of the others discussed in Comparitech’s ad blocker guide. This can be an effective strategy because malvertising is one of the core means that attackers use in their drive-by download campaigns. If ads are being blocked, then you can’t be infected by malicious ones.

This can be an effective strategy, but it also raises some ethical issues. Many websites provide content for free, and the only way they can sustain themselves is by showing ads to users. By avoiding the ads with an ad blocker, you’re accessing the content and draining the site’s resources, but denying them the small amount of income that comes from ads.

Some may argue that websites that display intrusive or dangerous ads don’t deserve income and only block ads from the most egregious offenders. However, if everyone started using ad blockers, we would no longer be able to access so much content for free.

If you want to minimize the ads that are delivered to your browser but still want to support creators and publishers, consider getting the bulk of your content from sites that have ad-free paid subscription services.

Script blocking

People can also protect themselves by using a script blocker such as NoScript. When you browse without an extension like NoScript, JavaScript and Flash can run automatically. While these scripts make the online experience smoother and more functional, they are also the cause of many drive-by downloads.

When you use NoScript, it disables them by default, removing these threats. The downside of this is that it also reduces the functionality on many websites, or can make them completely unusable. For the sites that still run, you can use them as is, or enable whichever scripts you want to enhance the browsing experience.

If NoScript completely breaks a site, your only options are to selectively allow some of the scripts so that it runs, or seek what you are looking for on another site. While NoScript takes a bit of configuration and time to get used to, it puts control back in your hands.

You get to decide which websites you trust and are willing to allow JavaScript, Flash and other scripts to run. Many people may not want to go to this extra effort, and it may be a little confusing at first, but script blocking is still an important consideration if you want to reduce the online threats you face.

Don’t forget your other devices

Drive-by downloads are a threat to more than just your PC. They can affect your smartphone and other devices as well. While there are several factors that make these devices more secure, you still need to take some precautions.

You should never jailbreak or root your device unless you are a power user and are fully aware of the additional security dangers and challenges that these acts can bring. In line with this, you should only ever download trusted apps from the Play Store or the App Store.

Apps and other software should also be kept up-to-date to make sure that your devices have the latest patches, keeping them safe from recently discovered security threats. Users also need to be on the lookout for sneaky tactics, such as pop-ups that look like call buttons or malicious links in emails and text messages.

What should you do if your website is distributing malware via drive-by download?

If you find that your website is distributing drive-by downloads, you need to act immediately. On one hand, the campaign could cause severe reputational damage to your brand. On the other hand, it could be an indication that your site has been compromised – not only is it spreading malware to others, but thieves could be probing deeper into the website, stealing data or launching other attacks.

Your website could be helping to spread drive-by downloads in two major ways. The first is through the ads it displays, the other is via the site itself. If it’s through ads, then the first thing you need to do is find out which ads are spreading the malware.

It could be individual ads that hackers may be paying for, otherwise they may have compromised an entire ad network as part of their malware-spreading campaign. Once you have discovered the source, remove the offending ad or network.

In the future, make sure you research any ad networks that you wish to work with, and only allow trusted networks on your site. While this can’t provide complete protection from malicious ads being displayed on your site, it should reduce the chances significantly.

If the site itself has been compromised, you probably have much bigger problems. While it’s certainly worrying if your site is being used to spread malware, the attackers could also be working their way further into your site, stealing data and causing other damage.

Because of this threat, those without security expertise in their organizations may need to engage outside professionals to rectify the situation. There could be a lot at stake – not only the reputational damage from infecting site visitors, but also the potential fallout from more intense attacks. This is why it’s crucial to make sure that compromises are addressed quickly and thoroughly.

Drive-by downloads: A huge threat with simple mitigation strategies

If this is the first time you have heard of drive-by downloads, this article may have terrified you. It’s certainly alarming to think that you could fall victim to a serious drive-by attack, all for something as simple as visiting your favorite website.

Even if the website is legitimate and you didn’t make any clicks, drive-by downloads can set off a chain of events that lead to devastating attacks. While these scenarios are worrying, the good news is that it’s relatively easy to minimize the chances of falling victim to the majority of these attacks.

By making sure that you always have your software updated, following smart browsing practices and using tools like NoScript or an ad blocker, you will eliminate many of the paths that hackers take advantage of in their drive-by download campaigns. These steps can’t make you 100 percent secure, but taking them should allow you to use the internet with confidence.