What is a drive-by download?

Drive-by downloads can pose a major risk to your online security, so it's important to be aware of this type of cyber attack.

17-08-2022 - 8 minute read. Posted in: cybercrime.

What is a drive-by download?

Drive-by downloads can pose a major risk to your online security, so it's important to be aware of this type of cyber attack.

The definition of a drive-by download

Drive-by download attacks specifically refer to a malicious program that is installed on a person's digital devices, such as computers, tablets or mobile phones, without their consent or knowledge. This also includes accidental downloads of files or accompanying software to a computing device. These kinds of attacks are found in many places on the web and can spread to legitimate websites, which further spread them to users.

There are two main variants of drive-by download attacks:

  • Potentially unwanted programs or applications (PUPs/PUAs), which are not malicious.
  • Download with malware.

While the former is typically safe, it may contain adware or spam emails, which can be very annoying for the victim. Cybersecurity experts typically use the latter as their definition of drive-by downloads.

What is the purpose of a drive-by download attack?

A drive-by download attack refers to an accidental download of malicious code (malware) to a computer or mobile device, which leaves the victim vulnerable to cyber-attack. A person does not have to click on anything, press "download" or open a malicious attachment to be infected with the malicious code, making this type of attack extra widespread.

A drive-by download can take advantage of an app, operating system or web browser that contains security flaws due to failed updates or lack of updates. Unlike many other types of cyberattacks, a drive-by download does not rely on the user doing anything to actively activate the attack.

Drive-by downloads are designed to infect your device to perform one or more of the following:

  • Overtake your device - to build a botnet, infect other devices, or further infect your device.

  • Monitor your activity - to steal your online credentials, financial information or identity.

  • Damage data or disable your device - to simply cause trouble or personally harm you.

Without proper security software or patches to remove vulnerabilities, anyone can fall victim to a drive-by download attack.

How does a drive-by download attack work?

Most people don't think about drive-by downloads and may not realise that you can be hit by malware without actively downloading it yourself. Since the attacks can infect "secure sites" on the web, most people have no idea how or that they have been hit by an attack.

There are two main ways drive-by downloads get onto your devices:

  • Authorised without knowing the full implications: You take an action that leads to infection, such as clicking a link on a misleading fake security warning or by downloading a Trojan.

  • Completely unauthorised without any notification: You visit a web page and become infected without any notification or further action. These downloads can be anywhere, even legitimate sites.

Knowing exactly what a drive-by download is is just as important as knowing how to spot a potential attack.

Authorised downloads with hidden profits

Authorised drive-by downloads are streamlined and can sometimes be detected before the attack happens. They start with an attacker creating a vector to deliver malware - this can be online messages, advertisements or legitimate application downloads. A user then interacts with the vector by clicking on a deceptive link, downloading software, etc.

The malware is installed on the user's device and if the user has no anti-virus software or similar, they will not detect it. The hacker then enters the user's device and can then perform several malicious actions.

Software or websites can be infected with malware without it being detectable. Therefore, it can be easy for hackers to carry out their drive-by download attacks, as many users can access the affected websites.

An example of a concrete attack is that a user is sent a link via email or a post on their social media feed. It is made to look like it is sent from sources that the user knows and trusts. This social engineering tactic is used to entice the user to click and open the email or post. When the user enters the website to which the link refers, the drive-by download installs itself on the user's computer or mobile device.

Bundleware is a popular "authorised" method of drive-by download attack that uses secondary applications linked to a person's actual desired application download. These potentially unwanted programs/applications(PUPs/PUAs) can hide malware or be malware themselves. Bundeware typically exists as an opt-out when a person downloads free software or shareware.

Phishing can also be used to target individuals with drive-by downloads. Pop-up advertisements or emails, supposedly from organisations or people a person knows, ask them to click on links or download attachments. Typically, the messages are manipulative and attempt to arouse emotions in people, leading them to perform the desired actions.

Unauthorised downloads without your knowledge

An unauthorised drive-by download works in a very simple way. A hacker compromises a website and adds a malicious component to a security flaw. A user triggers the component by visiting the site, and it finds the device's security holes. By exploiting the poor security, the component downloads malware to the device. The hacker can then perform the malicious actions, such as controlling the device or stealing data from it.

As mentioned above, unauthorised malicious code is distributed directly by the compromised websites. However, the code must first be placed there by the hackers.

"Exploit kits" is the name of the software used to compromise vulnerable web servers and devices. These kits identify software vulnerabilities on machines and web browsers to find out which systems are easy to target. Exploit kits often use small pieces of code designed to get past simple cyber defenses and go largely unnoticed. The code is kept simple to focus on one type of task: contacting another computer to introduce the rest of the code it needs to access a mobile device or computer.

Security vulnerabilities that can be detected by exploit kits are inevitable in the digital age. No software or hardware can ever be made perfect. Just as a building can be infiltrated with careful investigation and planning, so can any software, network or other digital infrastructure. Vulnerabilities typically come in these forms:

  • Zero-day exploits: Security flaws without any known fixes or patches.

  • Known exploits: Security issues that have known but uninstalled fixes.

Zero-day exploits are hard to avoid, but well-known exploits are manipulated solely due to poor cyber security practices. If endpoint users and web administrators fail to update all their software in a timely manner, they will also delay important security updates - and this is what hackers exploit.

Drive-by downloads are by far one of the harder cyber threats to prevent. It requires proper and constant attention and strong security at all points of contact with the internet.

How to avoid an unwanted drive-by download attack

As with many aspects of cyber security, the best defense is caution. You should never take your security for granted. Here are some good guidelines on how to avoid downloading malicious code through the Internet.

How website owners can prevent a drive-by download

As a website owner, you are the first line of defence against hackers trying to target website visitors. To best protect your website and your users, you can strengthen your infrastructure in several ways:

  • Keep all site components updated. This includes any themes, add-ons, plugins or any other infrastructure. Each update is likely to have new security fixes to keep hackers out.

  • Remove any outdated or unsupported components on your website. Without common security patches, old software is easy to exploit.

  • Use strong passwords and usernames for your administrator accounts. Brute force attacks make it easy for hackers to guess weak passwords. Use a password manager to stay safe.

  • Install protective web security software on your website. Monitoring software helps keep an eye on any changes to your site's backend code.

Seven tips for endpoint users

As a user, it is important to use the various security features offered for your software. Here are some concrete tips:

  • Use only your computer's administrator account for program installations. Admin privileges are required so that drive-by downloads can be installed without your knowledge. Since this setting is the default on your main account, use a secondary non-administrator account for daily use.

  • Keep your web browser and operating system updated. New patches help fix security holes that can allow drive-by download code a way in.

  • Be careful about having too many unnecessary programs and apps. The more plug-ins you have on your device, the more susceptible you are to malware infection. Keep only that software,you trust and use often. Also remove any older apps that no longer receive updates.

Author Sofie Meyer

Sofie Meyer

Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.

View all posts by Sofie Meyer

Similar posts