What is a drive-by download?

Drive-by downloads can pose a major risk to your online security, so it's important to be aware of this type of cyber attack.

17-08-2022 - 11 minute read. Posted in: cybercrime.

What is a drive-by download?

What is a drive-by download?

Drive-by downloads can pose a major risk to your online security, so it's important to be aware of this type of cyber attack.

The definition of a drive-by download

Drive-by download attacks specifically refer to a malicious program or hidden malicious code that is installed on a person’s digital devices, such as computers, tablets or mobile phones, without their consent or knowledge. This also includes accidental downloads of files or accompanying software to a computing device. These kinds of attacks are found in many places on the web and can spread to legitimate websites, which further spread them to users.

There are two main variants of drive-by download attacks:

  • Potentially unwanted programs or applications (PUPs/PUAs), which are not malicious.

  • Download with malware.

While the former is typically safe, it may contain adware or spam emails, which can be very annoying for the victim. Cybersecurity experts typically use the latter as their definition of drive-by downloads.

What is the purpose of a drive-by download attack?

A drive-by download attack refers to an accidental download of malicious software or code (malware) to a computer or mobile device, which leaves the victim vulnerable to cyber-attack. A person does not have to click on anything, press “download” or open a malicious attachment to be infected with the malicious code, making this type of attack extra widespread.

A drive-by download exploits vulnerabilities in applications, operating systems, or web browsers that result from missed or outdated security updates. Unlike many other cyberattacks, it does not require any action from the user to initiate the attack.

Drive-by downloads are designed to infect your device to perform one or more of the following:

  • Overtake your device: to build a botnet, infect other devices, or further infect your device.

  • Monitor your activity: to steal your online credentials, financial information or identity.

  • Damage data or disable your device: to simply cause trouble or personally harm you.

Without proper security software or patches to remove vulnerabilities, anyone can fall victim to a drive-by download attack.

How does a drive-by download attack work with malicious software?

Most people don’t think about drive-by downloads and may not realise that you can be hit by malware without actively downloading it yourself. Since the attacks can infect “secure sites” on the web, most people have no idea how or that they have been hit by an attack.

There are two main ways drive-by downloads get onto your devices:

  • Authorised without knowing the full implications: You take an action that leads to infection, such as clicking a link on a misleading fake security warning or by downloading a Trojan.

  • Completely unauthorised without any notification: You visit a web page and become infected without any notification or further action. These downloads can be anywhere, even legitimate sites.

Knowing exactly what a drive-by download is is just as important as knowing how to spot a potential attack.

Authorised drive-by downloads are streamlined and can sometimes be detected before the attack happens. They start with an attacker creating a vector to deliver malware - this can be online messages, advertisements or legitimate application downloads. A user then interacts with the vector by clicking on a deceptive link, downloading software, etc.

The malware is installed on the user’s device and if the user has no anti-virus software or similar, they will not detect it. The hacker then enters the user’s device and can then perform several malicious actions.

Software or websites can be infected with malware without it being detectable. Therefore, it can be easy for hackers to carry out their drive-by download attacks, as many users can access the affected websites.

An example of a concrete attack is that a user is sent a link via email or a post on their social media feed. It is made to look like it is sent from sources that the user knows and trusts. This social engineering tactic is used to entice the user to click and open the email or post. When the user enters the website to which the link refers, the drive-by download installs itself on the user’s computer or mobile device.

Bundleware is a popular “authorised” method of drive-by download attack that uses secondary applications linked to a person’s actual desired application download. These potentially unwanted programs/applications(PUPs/PUAs) can hide malware or be malware themselves. Bundleware typically exists as an opt-out when a person downloads free software or shareware. When downloading free software, users should be cautious as it can sometimes include hidden malware or bundleware that installs unwanted programs alongside the intended software.

Phishing can also be used to target individuals with drive-by downloads. Pop-up advertisements or emails, supposedly from organisations or people a person knows, ask them to click on links or download attachments. Typically, the messages are manipulative and attempt to arouse emotions in people, leading them to perform the desired actions.

Types of malicious code

Drive-by download attacks can install various types of malicious code onto a computer or mobile device. Here are some common types of malicious code that you should be aware of:

  • Trojans: These malicious programs disguise themselves as legitimate software. Once installed, they can allow hackers to access your device remotely, steal sensitive information, or install additional malware. Trojans are particularly dangerous because they often go unnoticed until significant damage has been done. Learn more about how Trojans operate and how to protect your devices.

  • Spyware: This type of malware is designed to secretly monitor and collect sensitive information from your device. Spyware can capture login credentials, financial information, and other personal data, all without your knowledge. It can be particularly harmful as it compromises your privacy and security. Read our blog post to learn more about how spyware operates and how to protect yourself.

  • Ransomware: Ransomware encrypts your device’s files and demands payment in exchange for the decryption key. This type of malware can cause significant damage, as it can render your important files inaccessible. Paying the ransom offers no certainty that access to your files will be restored, making this type of attack especially damaging.

  • Adware: While not typically malicious, adware is designed to display unwanted advertisements on your device. Adware can be annoying and can slow down your device’s performance. In some cases, adware can also track your browsing habits and display targeted ads, further compromising your privacy.

  • Rootkits: These malicious programs hide the presence of other malware on your device. Rootkits can make it difficult to detect and remove malware, as they operate at a low level within the operating system. This makes them a powerful tool for hackers looking to maintain long-term access to your device. Dive into how rootkits work and why they pose a serious cybersecurity threat.

Understanding these types of malicious code can help you recognize the potential threats posed by drive-by download attacks and take steps to protect your computer or mobile device.

Unauthorized downloads without your knowledge

An unauthorized drive-by download works in a very simple way, often involving unauthorized downloads initiated by visiting compromised websites. A hacker compromises a website and adds a malicious component to a security flaw. A user triggers the component by visiting the site, and it finds the device’s security holes. By exploiting the poor security, the component downloads malware to the device. The hacker can then perform the malicious actions, such as controlling the device or stealing data from it.

As mentioned above, unauthorized malicious code is distributed directly by the compromised websites. However, the code must first be placed there by the hackers.

Exploit kits are software tools used to compromise vulnerable web servers and devices. These kits scan for software weaknesses in machines and web browsers to identify easy targets. They typically deploy small code snippets designed to bypass basic security measures while remaining undetected. The code is kept minimal, focusing on a single task, connecting to another system to deliver additional code needed to gain access to a computer or mobile device.

In the digital age, security vulnerabilities exploited by exploit kits are unavoidable. No software or hardware can ever be entirely flawless. Just as a physical building can be breached through careful planning and analysis, digital systems including software, networks, and other infrastructure can also be compromised. Common types of vulnerabilities include:

  • Zero-day exploits: Security flaws without any known fixes or patches.

  • Known exploits: Security issues that have known but uninstalled fixes.

Zero-day exploits are difficult to prevent, but widely known vulnerabilities are often exploited due to weak cybersecurity practices. When endpoint users and web administrators neglect timely software updates, they also postpone critical security patches, creating opportunities for hackers to take advantage of these gaps.

Drive-by downloads are by far one of the harder cyber threats to prevent. It requires proper and constant attention and strong security at all points of contact with the internet.

Real-World examples of drive-by download attacks

Drive-by download attacks have been used in several high-profile cyberattacks in recent years. Here are some notable examples:

  • The NotPetya attack: In 2017, a drive-by download attack was used to spread the NotPetya malware. This attack caused widespread damage to computers and networks around the world, disrupting businesses and causing significant financial losses. NotPetya was particularly destructive because it masqueraded as ransomware but was designed to cause maximum damage rather than generate profit.

  • The WannaCry attack: Also in 2017, the WannaCry ransomware spread through a drive-by download attack. This malware encrypted files on infected computers and demanded payment in Bitcoin for the decryption key. The WannaCry attack affected hundreds of thousands of computers in over 150 countries, highlighting the global reach and impact of drive-by download attacks.

  • The Equifax breach: In 2017, a drive-by download attack was used to breach the Equifax website. This attack resulted in the theft of sensitive information from millions of people, including Social Security numbers, birth dates, and addresses. The Equifax breach underscored the importance of securing websites against drive-by download attacks to protect user data.

  • The Yahoo breach: In 2013, a drive-by download attack was used to breach the Yahoo website. This attack led to the theft of sensitive information from millions of users, including email addresses, passwords, and security questions. The Yahoo breach is one of the largest data breaches in history and serves as a stark reminder of the potential consequences of drive-by download attacks.

These examples demonstrate the severe impact that drive-by download attacks can have on individuals and organizations. By understanding these real-world cases, you can better appreciate the importance of taking proactive measures to prevent such attacks.

How to avoid an unwanted drive-by download attack

As with many aspects of cyber security, the best defense to prevent drive by downloads is caution. You should never take your security for granted. Here are some good guidelines on how to avoid downloading malicious code through the Internet.

How website owners can prevent a drive-by download

As a website owner, you are the first line of defence against hackers trying to target website visitors. To best protect your website and your users, you can strengthen your infrastructure in several ways:

  • Keep all site components updated. This includes any themes, add-ons, plugins or any other infrastructure. Each update is likely to have new security fixes to keep hackers out.

  • Remove any outdated or unsupported components on your website. Without common security patches, old software is easy to exploit.

  • Use strong passwords and usernames for your administrator accounts. Brute force attacks make it easy for hackers to guess weak passwords. Use a password manager to stay safe.

  • Install protective web security software on your website. Monitoring software helps keep an eye on any changes to your site's backend code.

Tips for endpoint users

As a user, it is important to use the various security features offered for your software. Here are some concrete tips:

  • Use only your computer's administrator account for program installations. Admin privileges are required so that drive-by downloads can be installed without your knowledge. Since this setting is the default on your main account, use a secondary non-administrator account for daily use.

  • Keep your web browser and operating system updated. New patches help fix security holes that can allow drive-by download code a way in.

  • Be careful about having too many unnecessary programs and apps. The more plug-ins you have on your device, the more susceptible you are to malware infection. Keep only that software,you trust and use often. Also remove any older apps that no longer receive updates.

This post has been updated on 07-02-2025 by Sarah Krarup.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts