What Is a Drive-By Download Attack?
Types of Drive-by Download Attacks
Although drive-by downloads often operate through websites that provide mature and illegal content or via file-sharing platforms, reputable websites can also be compromised with hidden malicious code. Due to the apparent legitimacy of infected sites and the limited interactions required to infect devices, users are often unsuspecting of drive-by download attacks.
Threat actors take advantage of a website's security flaws through unauthorized downloads, changing lines of code and exploiting zero-day vulnerabilities. They then inject malicious code into the compromised website so that users who visit the infected site expose their devices to malware without downloading anything.
Authorized downloads also occur through compromised websites but are triggered by users interacting with malicious prompts, such as package warnings, pop-up advertisements, security check messages, and even the "X" icon a user might click to close these prompts. Once users click on the malware delivery vector, they unknowingly launch a download on their device and give threat actors access to their systems.
The most common way of enabling drive-by attacks is through bundle wares, additional applications linked to the original software users try downloading. These programs can camouflage malicious applications and are often arranged so that users have few options other than giving access to the malware.
High-Profile Drive-by Download Attacks
Mac Flashback: In March 2012, approximately 600,000 Apple MacBooks were infected with malware. Threat actors infiltrated devices by releasing a WordPress plug-in that discreetly exposed any WordPress-powered website or software to viruses. When visitors interacted with infected pages, they were rerouted to malicious sites controlled by threat actors. The malware's payload took over all advertising on the page, replacing it with ads that generated revenue for the threat actors.
NBC.com Drive-By Downloads: Threat actors infiltrated the NBC website in February 2013, exploiting HTML elements called iframes. By leveraging this component, drive-by downloads of the Citadel Trojan virus were employed, stealing personal and financial information.