What is a drive-by download?

What is a drive-by download?

Drive-by downloads are among the most dangerous and deceptive types of cyberattacks. A drive by download refers to an unintentional, silent malware infection that occurs simply by visiting a compromised or malicious website, often exploiting vulnerabilities in outdated or insecure software to deliver malicious code without user interaction. These attacks often happen silently, without any action from the user, making them difficult to detect and prevent. Drive-by downloads expose users to significant security risks by secretly downloading malicious code onto their devices.

Definition: What is a drive-by download?

A drive-by download is a cyberattack where malicious software is installed on a user’s computer, phone, or tablet without their knowledge or permission. This can happen simply by visiting a website that has been compromised. Unlike authorized downloads, drive-by downloads do not require user approval – these are unintentional downloads, and users do not need to press download or interact with the page. The act of loading the page alone is enough to trigger the infection.

Drive-by downloads fall into two categories:

• Potentially Unwanted Programs or Applications (PUPs/PUAs), which may include spam, adware, or hidden software bundled with legitimate applications

• Malware downloads, which include viruses, spyware, Trojans, and other harmful software

Drive-by downloads can occur on both legitimate sites and reputable websites, not just suspicious or fraudulent websites. Fraudulent websites are a common source, but even trusted web pages can be compromised and used to deliver these attacks.

While PUPs are generally considered annoying but not dangerous, a malicious drive can result in malware downloads with serious consequences. Cybersecurity professionals usually use the term “drive-by download” to refer to the latter.

Drive-by downloads exploit vulnerabilities in web pages to deliver malicious files, and the result is often covert malware installs.

Why are drive-by downloads used?

Attackers use drive-by downloads to exploit weaknesses in your device’s software, such as outdated browsers, operating systems, or plugins. Security vulnerabilities in outdated apps are common targets for these attacks. What makes these attacks especially dangerous is that they do not require any action from the user to begin. Simply visiting the wrong website can trigger an attack.

Once installed, the malware may:

• Gain remote control of your device and use it to launch further attacks, especially if you have admin privileges

• Monitor your online activity to steal personal or financial information, or inject banking trojans to steal sensitive financial data

• Damage, delete, or encrypt your data, causing permanent loss

• Use compromised or malicious ad networks to distribute malware through drive-by downloads

• Employ social engineering attacks or deliver malware via a malicious email attachment as related tactics

Because these attacks do not rely on user interaction, they are often harder to detect than other forms of cyber threats.

How do drive-by download attacks work?

Drive-by download attacks can happen in two main ways. In many cases, these attacks are considered an unauthorized drive, where malicious code is silently downloaded to a user's device without their consent or knowledge.

Authorized but misleading downloads

These attacks occur when users unknowingly approve a download. This often happens when someone clicks a deceptive advertisement, installs a fake antivirus alert, or downloads what appears to be legitimate software that includes hidden malware. One common method is through "bundleware," where additional programs are packaged with free software. These programs are often selected by default, and users must opt out during installation. If users are not careful, they can accidentally install malware or other unwanted applications.

Unauthorized and invisible downloads

In these cases, no user action is required. The attacker has already compromised a website and added malicious code. Malicious scripts can be injected through cross site scripting (XSS) vulnerabilities, where attackers exploit weaknesses in input validation to insert harmful code into web pages. When users visit the infected page, these scripts are triggered, silently exploiting security flaws in the browser or device. The malware is installed without any warning. Even well-known or trusted websites can be affected if they have not been properly secured.

Common types of malware installed through drive-by downloads

Drive-by downloads can deliver many types of harmful code, including:

• Trojans: Trojans pretend to be legitimate software but allow hackers to gain remote access to your device. They can steal sensitive data or be used to install more malware. Learn more about how Trojans operate and how to protect your devices.

• Spyware: Spyware runs in the background and secretly collects personal information, including login credentials, credit card numbers, and browsing activity. Read our blog post to learn more about how spyware operates and how to protect yourself.

• Ransomware: Ransomware locks your files and demands payment to unlock them. These attacks often result in lost data, and paying the ransom does not guarantee file recovery.

• Adware: Adware floods your device with unwanted advertisements. While not always dangerous, it can slow your system and track your online behavior.

• Rootkits: Rootkits hide the presence of malware and allow attackers to control your system at a deep level. They are difficult to detect and remove. Dive into how rootkits work and why they pose a serious cybersecurity threat.

Understanding these different types of malware can help you recognize warning signs and reduce your exposure to threats.

How exploit kits make attacks easier

Many drive-by downloads are made possible by exploit kits. These are software tools used by cybercriminals to scan websites and user devices for known weaknesses. Once a vulnerability is found, the exploit kit inserts a small piece of code that allows malware to be downloaded and installed. This process often leads to covert malware installs, where malicious software is silently executed on the victim's device without their awareness.

Exploit kits often rely on two types of software vulnerabilities:

• Zero-day exploits, which are flaws that have not yet been discovered or patched

• Known exploits, which are vulnerabilities that already have patches available but remain uninstalled

Even if a fix exists, many users and administrators fail to update their systems promptly. This allows attackers to take advantage of outdated software and gain access to devices through drive-by downloads.

Real-world examples of drive-by download attacks

Drive-by downloads have played a role in several major cyber incidents, including:

• NotPetya (2017): This attack used a drive-by download to spread destructive malware that targeted companies and government systems worldwide. Although it appeared to be ransomware, its true goal was to cause damage.

• WannaCry (2017): One of the most well-known ransomware attacks, WannaCry spread through drive-by download techniques and affected hundreds of thousands of systems across more than 150 countries.

• Equifax Breach (2017): Attackers exploited unpatched vulnerabilities in the Equifax website, using a drive-by download to gain access to sensitive information from more than 140 million people. In this case, malicious code was delivered through compromised web pages, making visitors vulnerable without any direct interaction.

• Yahoo Breach (2013): A drive-by download was used to infect users through Yahoo’s advertising network. This resulted in one of the largest data breaches in history.

These cases show just how devastating and far-reaching drive-by downloads can be.

The role of compromised websites in drive-by downloads

Compromised websites are a major source of drive by download attacks, often serving as the launchpad for malicious code that targets unsuspecting visitors. When a user visits a compromised website, the site may contain hidden scripts or malicious components designed to exploit security flaws in the web page, operating system, or desktop and mobile browsers. These vulnerabilities can allow a drive by download attack to occur, resulting in unauthorized downloads of malware onto a computer or mobile device – sometimes without any visible sign to the user.

Even legitimate websites can become compromised if they rely on outdated or unsupported components, leaving them open to security weaknesses that threat actors can exploit. This means that users are at risk not only from suspicious or unknown sites, but also from mainstream or well-established sites that have not been properly maintained. To prevent drive by downloads, it’s important to examine security popups carefully and be vigilant when downloading software, even from what appear to be legitimate program downloads. Website owners should regularly update all software and plugins to minimize the risk of their sites being used in download attacks.

Risks to endpoint users

Endpoint users – anyone using a computer or mobile device – face significant risks from drive by download attacks. Simply visiting compromised websites, clicking on malicious online ads, or interacting with deceptive popup ads can result in the unintentional download of malicious code. These download attacks can expose users to a range of threats, including the injection of banking trojans, ransomware, and other forms of malicious software.

To reduce the risk of drive by downloads, endpoint users should keep their operating systems, browsers, and all software up to date with regular security patches. Using strong passwords and a reputable ad blocker can help prevent malicious activities and block harmful online ads before they have a chance to deliver malware. It’s also important to remember that even mainstream sites and well established sites can fall victim to compromise, so users should avoid pressing download links from untrusted sources and always be cautious when browsing or downloading files.

Mobile device security and drive-by downloads

Mobile devices are increasingly targeted by drive by download attacks, especially when their operating systems or apps are outdated. When a user visits a compromised website on a mobile device, malicious code can exploit security flaws in the mobile browser or operating system, triggering a drive by download attack that installs malware without the user’s knowledge.

To protect against these threats, users should keep their mobile device software and operating systems updated with the latest security patches. Using strong passwords and being careful when downloading apps or clicking on online ads can further reduce the risk of drive by downloads. Additionally, implementing network security measures such as firewalls and intrusion detection systems can help prevent download attacks on mobile devices, providing an extra layer of defense against malicious code.

Download payloads and their consequences

Download payloads are the actual malicious software or code delivered onto a computer or mobile device during a drive by download attack. These payloads can have serious consequences, ranging from the theft of personal information and the injection of banking trojans to the installation of ransomware or other malicious software. Once a download attack is successful, threat actors may gain access to sensitive data, take control of the device, or use it as part of a botnet to conduct further malicious activities.

The impact of drive by downloads can be devastating, especially if users are unaware that their device has been compromised. To prevent drive by download attacks, users should be cautious when visiting websites—particularly those with mature content—and avoid interacting with suspicious online ads or pop ups. Website owners also play a critical role in stopping download attacks by keeping their website software and components up to date and implementing strong security measures to prevent malicious code injections onto a computer or mobile device.

How to protect against drive-by downloads

For website owners

If you manage a website, you are responsible for ensuring it cannot be used to spread malware. Take the following steps to protect your visitors:

• Keep all software, themes, and plugins fully updated

• Remove any components that are no longer supported

• Use strong, unique passwords for administrator accounts

• Install website monitoring and security tools to detect unauthorized changes

For individual users

Here are seven tips to reduce your risk of a drive-by download:

1. Use a standard (non-administrator) account for daily activities. This limits malware’s ability to make changes to your system.

2. Keep your operating system and web browser up to date with the latest patches.

3. Uninstall unnecessary software, especially old programs that no longer receive updates.

4. Download applications only from trusted sources and pay close attention during installation to avoid bundleware.

5. Be cautious with links and attachments in emails, especially from unknown senders.

6. Use antivirus and anti-malware software that includes real-time protection and regular scans.

7. Install browser extensions that block pop-ups and scripts, which can prevent malicious content from loading.

Final thoughts

Drive-by downloads are silent but highly effective cyberattacks. They can compromise your device, steal your data, and cause serious harm without you ever realizing it. The best way to stay safe is through a combination of awareness, software updates, and strong security practices. Whether you are a website owner or a casual internet user, taking proactive steps can make all the difference in protecting your data and privacy online.