The Dangers of Drive-By Download Attack
Drive-by-downloads are harmful pieces of software that are downloaded to an endpoint device as a result of visiting a compromised web page or an HTML-based email that links to a website. This attack occurs without the consent or knowledge of the user.
Users mainly become a victim to the drive-by-download attack due to lack of awareness of the anatomy of this attack. Drive-by-download attack executes in 5 steps –
1. The point of entry – Enter an endpoint through a malicious website.
2. Distribution – Website redirects you to more illegitimate websites.
3. Exploit – The browser is redirected to the site hosting an exploit kit that examines your OS, web browser, and other software to find a vulnerability to exploit.
4. Infection – Once a vulnerability is detected in the exploit kit, the exploit kit downloads malware known as payload. Payload installs itself on your system thus initiating the infection process.
5. Execution – In the final stage, Execution, the malware tries to extort money from the victims.
Drive-by downloads run by misusing vulnerabilities in plug-ins, web browsers, or other elements that function within browsers. And they can hack you softly in several ways.
Cruising the web: While cruising through the internet, you may come across an interesting website and innocently click on it, unaware of its identity. The automatic download file releases malware and infects your system. The site may possibly be put up by cybercriminals for the purpose of infecting user’s systems with malware. It could also be a legitimate website that cybercriminals compromised through prevailing vulnerabilities in the website.
Only visit websites you trust.
Advertising networks – Advertising networks or Malvertising is another common way by which Drive-by downloads are spread. Web advertisements are circulated in the form of third-party content to the advertising website. Even if the web page itself does not include any exploits, unsafe ad content poses a risk to advertising websites. The chances of insecure content getting inserted somewhere are more because of the increase in the use of Ad syndication. This can lead to web pages running advertisements to unreliable content. In a way, this poses as a platform for distributing malware where criminals insert content to websites with a huge visitor base without having to compromise any web server.
The first drive-by download instance was aimed at Spotify. An exploit kit named the ‘Blackhole’ was used, where a user doesn’t have to click on an ad to infect the systems with malware. In the past, New York times and online ad networks of big tech giants Google, Yahoo, and Microsoft have also fallen for a drive-by download attack.
Enable click to play plug-ins in your web browser. If a website contains a Flash or Java object, it will not run until you click it.
Plug-in – An attacker can exploit security weaknesses in plug-ins that extend web browser functionality besides targeting the web browser to conduct drive-by download attacks. Many attacks generate pop-up messages from Java requesting consent to execute a malicious Java file. Users often find it difficult to identify which window created the pop-up. If they accept the request, the payload malware executes and performs its duty in seconds.
Be sure to keep your software up to date including Oracle, Java, Adobe Acrobat, and Flash.
Security Patches – With the release of new security patches for common applications like Adobe’s Acrobat PDF reader that run on the Java platform, many drive-by download attacks are launched. Once vendors release a patch, attackers use the information to undo the fix, to expose the hidden vulnerability. They target the exposed vulnerabilities. Users who don’t update their software quickly have their systems compromised by malware. Java continues to be prevalent among cybercriminals because many users neglect to update the Java Runtime Environment (JRE) installed on their systems.
Ensure to patch your endpoints regularly.
Drive-by downloads can launch an attack without caution and not every attack is preventable. Security researchers discover drive-by downloads by keeping track of web addresses that have a history of malicious or suspicious behavior. If on a test computer a web page starts a download, the site is most likely risky. For these tests, links in spam emails and other communications can be used as source lists.
– Rini Thomas