Drive-by download attack: What is it and how does it work?

In most cases, the user doesn’t even need to click on any links or open malicious attachments to catch a virus. The malware behind the infected web page begins to exploit security flaws and vulnerabilities in the user’s browser or operating system as soon as the victim enters the website.

Cybercriminals use drive-by download attacks to infiltrate Internet of Things (IoT) devices with all sorts of malware, make changes to both inbound and outbound data traffic, alter your device so it won’t function properly anymore, and carry out data theft.

Drive-by download attacks work either by luring victims into clicking on malicious links and downloading malware or exploiting browser and device software vulnerabilities without user knowledge.

Depending on their payload and the way they infect devices, drive-by download attacks can be divided into two types:

• Active attacks. This type of attack requires interaction with the user. Hackers typically take advantage of trustworthy websites and software applications by creating malicious doppelgangers and tricking users into downloading malware while they think it’s a legitimate program. Malicious drive-by downloads can also hide behind pop-up ads and online messages. Once malware installs on the device, it can permit hackers unauthorized access to all the stored data.
• Passive attacks. This type of attack doesn’t require interaction with the user and can remain unnoticed for quite some time. Cybercriminals infiltrate various websites by inserting malicious payload into HTML or JavaScript files. These payloads search for vulnerabilities in the browser and operating system of the device. If malware finds software security gaps, it infects the device and allows hackers to exploit it.

To have a better understanding of how drive-by download attacks work, take a look at the real-life examples below:

1. Nuclear exploit kit. Active around the mid-2010s, the Nuclear exploit kit searched for browser and plugin vulnerabilities to spread malware to users’ devices. Working in a passive drive-by download mode, the Nuclear exploit kit delivered malicious payloads, ranging from ransomware to trojans to unsuspecting users.
2. Rig exploit kit. This cyberattack typically relied on malvertising. Hackers would buy some ad space on legitimate websites and implant exploit kits within their ads. This way, users were exposed to malware checking for system vulnerabilities by simply visiting the site.
3. ElTest campaign. The most well-known variant of this campaign was a fake HoeflerText font update. When a Chrome user would visit an infected website, they’d see an error saying, “HoeflerText font wasn’t found.” The user would be urged to download a font package to view the site but would soon realize that the font package was actually a malicious payload.
4. Flashback trojan for Mac. This trojan had bashed the long-lasted notion that Mac computers were immune to malware. First, it was disguised as an Adobe Flash Player installer, and later, it exploited JavaScript vulnerabilities whenever a Mac user landed on an infected web page.

Drive-by download attacks can take various forms and be met almost anywhere online. Let’s look into the most prevalent types of drive-by download attacks:

• Malicious ads. Malvertising is one of the preferred methods by hackers to conduct drive-by download attacks. Cybercriminals tend to buy up ad space on legitimate websites and display ads with malicious payloads or simply infect legitimate ads with malware. Whenever a victim clicks on an infected ad, they either download malware directly onto a computer or get redirected to websites infected with malicious software.
• Cross-site scripting (XSS) assaults. This assault occurs when the web page doesn’t validate or sanitize the user input before processing it. This leaves space for hackers to inject malware-ridden client-side scripts and spread them further to users who visit the corrupted website.
• Exploit kits. Cybercriminals typically use exploit codes to take advantage of the software vulnerabilities of the victim’s device. It only takes one visit to a website that hosts an exploit kit to receive a malicious payload to your device if it has any software security flaws. Hackers can also send exploit kit tools through email and messaging platforms.
• Phishing attacks. During phishing attacks, malicious entities use various social engineering schemes as they try to tempt users into clicking on infected links or downloading files containing malware. Phishing attacks are typically conducted through various communication channels, including emails, social media, and online messaging apps.
• Watering hole threats. These cyberattacks target a specific group of users who are known to visit particular websites and online resources regularly. Hackers attempt to gain access to specific websites, exploit shortcomings in the site’s web applications, software, or plugins, and embed malware. Because users are likely to trust websites they often visit, these attacks can affect even the most cyber-cautious internet users.

Hackers choose malicious payloads according to the specific goals they want to achieve, be it crippling the device’s software, stealing a user’s identity, or drying up their financial resources. Below are the payloads most widely used in drive-by download attacks:

• Adware targets users’ devices through various online advertisements, from pop-up ads to legitimate-looking banners. Sometimes, the user doesn’t even need to click on the ad for the malware behind it to begin searching for software vulnerabilities.
• Browser hijackers modify browser settings without the user’s knowledge. Afterward, it displays random search results, making the user land on unwanted web pages. Aggressive advertisers often use browser hijackers to draw more internet traffic or collect data for more targeted advertising.
• A botnet is a huddle of internet-connected devices infected and controlled by the same malware. Botnet aims to spread to as many devices as possible without rousing the suspicion of its victims. This type of malware is typically used in denial-of-service (DDoS) attacks.
• Keyloggers track user’s keystrokes to steal their login credentials, bank account details, and other sensitive data. Becoming a victim of a keylogger often leads to identity theft, financial fraud, and other privacy breaches.
• A trojan typically disguises itself as a legitimate program or software application only to drop its malicious payload once the user executes it. Depending on its target, a trojan can conduct fraudulent transactions to open the doors for hackers to access your device and demand ransomware for stolen data.
• Ransomware is a cyberattack during which a hacker encrypts user data or denies access to their devices until the user pays ransom to regain their access.

The targets of drive-by downloads usually depend on the wishes of hackers who have infiltrated the webpage with a particular payload. Below, you can find some types of sensitive data most valued by cybercriminals:

• Personal information, including name, address, phone number, national security number, and anything else that can be tied to a person’s identity.
• Financial information, for instance, credit card and banking operations details or bank account numbers.
• Login credentials – usernames and passwords.
• Business data, including internal communication, business strategies, marketing data, patents, and research and development data.
• Browser data, such as search history, cookies, and bookmarks.

The best way to avoid drive-by download attacks is to take the security and integrity of a website seriously. Below are some simple yet highly effective measures every website owner should take to protect their web pages:

• Keep your website elements, such as extensions, plugins, and add-ons, up to date.
• Carefully check and review ads on your website. Hackers often infect ads to distribute malicious payloads.
• Get rid of outdated software – it’s any hacker’s favorite entry point to your online domain.
• Use a strong password for the admin account. You should also consider using a password manager to generate robust passwords capable of withstanding brute-force attacks.
• Set web application firewalls (WAFs) to closely follow and filter your website’s traffic.
• Restrict third-party components on your web pages to diminish the odds of various malware infections.
• Use a secure internet protocol compatible with HTTPS. Browsers encrypted with HTTPS are harder for hackers to crack and insert malicious payloads.

Being conscious of cyber threats is the best way to keep various malware infections at bay, including drive-by downloads. Here are some tips on how you can avoid falling victim to drive-by download payloads:

• Regularly update your operating system and software. Though it’s tempting to postpone the pending update for just a couple of more days, hackers are quick to seize the opportunity to exploit outdated software when they encounter them. Updates patch operating systems and software security vulnerabilities and close the window for cybercriminals to access your device and data.
• Make sure to download the official software. Whenever you’re downloading programs, check twice if you are downloading the official ones. Hackers are skilled in creating convincing doppelgangers and inserting malicious codes into legitimate-looking applications.
• Get rid of unused apps. Every program, plugin, and app is susceptible to cyberattacks. By removing the ones you don’t use anymore, you’ll need to manage fewer items for security vulnerabilities.
• Use antivirus software. It’s the first instance that saves you against online threats. However, make sure to use a reliable provider’s antivirus for a higher security level.
• Use ad blockers. Crimeware often hides behind pop-up ads and intrusive banners. Ad-blocking software can reduce your chances of being infected with malicious code and lessen the number of intrusive ads you see.
• Use a reliable web browser. Widely used browsers like Google Chrome, Mozilla Firefox, or Microsoft Edge have built-in security features that can help protect you against fake or infected websites and downloads.