Drive by download refers to the automated download of software to a user’s device, without the user’s knowledge or consent. This can occur while the user is browsing a legitimate website or even through a malicious advertisement displayed on an otherwise safe site. 


1: Injection—the attacker embeds or injects a malicious element into a compromised web page. This could be JavaScript code, an iFrame, a link, a redirect, a malvertisement (an ad that triggers malicious code when viewed or clicked) or cross-site scripting (XSS).
2: Vulnerability exploits—the user views the page, triggering the malicious element. The element exploits a vulnerability in a part of the software stack on the user’s computer. This could be the browser, browser plugins, the operating system, an archiving tool like WinZIP, a file reader like Adobe PDF, legacy multimedia delivery platforms like Adobe Flash or Microsoft Silverlight, or vulnerabilities in the version of Java installed on the user’s device.
3: Download—the element downloads malicious files silently to the user’s device. In this example, the payload is a Trojan horse. Attackers may use other payloads, as discussed in the following section.
4: Execution—the Trojan horse executes, opening a shell the attacker can use to gain control over the device.
5: Remote control—the attacker gains remote control. This enables them to extract passwords or other valuable data from the user’s device.
6: Lateral movement—the attacker can now use credentials obtained from the user’s device to connect to another, more valuable system, such as a company’s website or network.

The rise of prepackaged drive-in download kits allows hackers of any skill level to launch these kinds of attacks. In fact, these kits can be purchased and deployed without the hacker writing their own code or establishing their own infrastructure for data exfiltration or other abuses. The ease with which these attacks can be executed means that they can come from virtually anywhere.

To be protected against drive-by downloads, regularly update or patch systems with the latest versions of apps, software, browsers, and operating systems. It is also advisable to stay away from insecure or potentially malicious websites. Drive-by downloads were observed to be hosted in websites of questionable reputation, or even reputable websites that have been compromised. A reliable and proactive security solution that actively scans websites can help protect endpoints from drive-by downloads and other cyberattacks.