What is a Drive-By Attack?
A drive-by attack, also known as a drive-by download attack, refers to a cyberattack in which a malicious script causes a program to download and install itself on a user device, without explicit permission from the user. It can happen on any user device, running any operating system. Often, these attacks occur when the user navigates to and browses a compromised web page.
Drive-by attacks often use exploit kits to launch the automatic download. Exploit kits are malicious pieces of software, created by hackers to identify vulnerabilities in a device, web browser, or web-based app. These weaknesses are then used to launch the automatic download process and carry out the attack. Drive-by attacks are designed to infect devices, steal information, and/or cause damage to data.
Drive-by attacks are named as such because the download occurs silently, as they pass by, leaving users mystified as to how their devices was infected. There are two main methods through which drive-by downloads can infect a user device:
In these cases, there is no direct user action which causes the download to begin. In other words, the attack is launched when the user visits a compromised webpage, without the need for any interaction with the page, not even a single click.
To create such an attack, the hacker injects malicious code into the web page by exploiting flaws in the website’s security. When the user first visits the page, the code identifies any security vulnerabilities in either the user’s web browser or the user’s device, and triggers the malware download through these vulnerabilities.
With authorization under false pretences
Sometimes, there is a user action involved in a drive by download, but under false pretences. There are a few different ways this can be done, for example:
All three examples involved a simple click or button press. These actions allow the attacker to claim that the user authorized the download, when in reality the user did not realize the implications of their actions, as the true intentions of the attacker were hidden. In this way, the hacker can get away with the download without being detected.
To prevent and detect drive by attacks, a number of different steps can be taken:
Of course, care should always be taken not to visit suspicious websites in the first place.Try and stick to browsing well-known sites with valid security certificates.
Many browsers will show security warnings when something isn’t right with a web page. If a browser blocks access to a web page because it seems suspicious, or something is wrong with its security certificate, don’t proceed without a really good reason.
To avoid falling victim to a drive-by attack, it’s important to verify that all links are legitimate before clicking on them. Pay particular attention to advertisements, and anything that promises some kind of reward, or encourages you to input valuable data. Look out for the common signs of suspicious content, such as low quality images, or spelling mistakes.
It’s also possible to install an ad-blocker as a browser extension, which prevents advertisements from appearing altogether. This can avoid potential misclicks that could lead to a drive-by download attack. Just make sure that the ad-blocker is from a trustworthy source too.
When you’re downloading software, make sure the site you’re downloading from is known, secure, and reputable. In addition, whenever installing software, make sure not to install any of the optional extra software (‘bundleware’) that comes with it, in case it contains malicious code.
A related recommendation is to delete any software on your device that you don’t use, and anything that is no longer supported by the software vendor.
It’s crucial to have robust antivirus and firewall software solutions in place to detect threats such as malware. These traditional security solutions provide first-level protection for the user from malicious Internet content. However, because they use a signature-based approach, they can detect only known threats and are wholly ineffective against new variants and zero day threats.
Web isolation, leveraging remote browser isolation technology, operates under the Zero Trust assumption that any websites is likely to contain dangerous content. This more modern approach provides reliable protection against drive-by attacks by running all website code in a container that’s isolated on a remote server or in the cloud. Only safe rendering data is sent to the endpoint, where users interact with the site as usual, on their regular browsers. No code ever reaches the endpoint, preventing drive by download attacks from succeeding.
A comprehensive security strategy leveraging modern cloud-based secure access service edge (SASE) platform, will combine antivirus, next-gen cloud firewalls and RBI in a comprehensive Zero Trust solution. Additional technologies included in these platforms, such as identity and access management (IAM) and microsegmentation can help minimize damage in the event that a drive-by or other attack manages to get past your defenses.
To ensure the highest levels of protection against malware and other web-based threats, keep all of your software up-to-date, including the automatic updates that are run by your operating system. Often, when security vulnerabilities are discovered, the software vendor will come up with a patch or fix to address the issue. If the user hasn’t updated their software regularly, the software will be more vulnerable to exploits and drive by download attacks, due to the unresolved vulnerabilities that are present. This is especially important for web browsers, and other software that has access to the Internet. It goes without saying that security software should also be kept up-to-date, for the detection of recently discovered threats.
As mentioned above, hackers use website security flaws to inject malicious code (as part of an exploit kit) and launch a drive-by download attack. Website owners should take the following precautions, to ensure their website is secure and doesn’t present a security risk to site visitors: