Drive by download attacks – as they are sometimes called – leverage on the basic principles of phishing and discreetness (same as that of conventional cyber-attacks). It can be aptly described as the unauthorized installation of dangerous software on the personal computer of an unsuspecting victim by attackers disguised as legitimate service providers. This method has gained notoriety over the years because of the relative ease of execution and the perfect cover of legitimacy.
What these attackers do is to take advantage of the loophole of a legitimate website app – especially website applications that are authorities in specific niches. After compromising the websites in question, they lure unsuspecting users to access the link that automatically installs the malware to their devices.
In most cases, these users can’t particularly protect themselves because they have no idea of what has happened in the first place. Drive by attacks – like all other attacks against the integrity of sites – is dangerous to the reputation of an organization and the privacy of the users.
It is important to know that these sorts of attacks are not usually perpetrated with shady looking web applications – as opposed to what attackers want users to believe. In most instances, attackers intend to leverage on the security inconsistency of highly trusted web applications. The reason for this is that, it is easy to redirect people to their booby traps on those website applications.
Furthermore, these attacks install without the prior knowledge of the victim – and sometimes, even the administrators of the web application. Finally, in the other possible scenario, the installation of these dangerous codes may be under the guise of an apparently necessary or a made up fix: the user is deceived by the surface value of such and is exposed to the perpetrators of the attack.
Primarily a drive by attack is geared towards achieving the following:
- Infiltrating a trusted web application and consequently the devices of the users.
- Taking control of the device of eventual victims of this booby trap.
- Monitoring and theft of very sensitive user data. They may even go as far as impersonating the user depending on the aim and scope of the attack.
- Use the gathered information to cause damage to the victim (especially when you consider the power of data in this global dispensation).
To gain a proper understanding of this type of attack, let’s examine everything about the modus operandi – the technical and not so technical aspect of a drive by attack
How Does A Drive By Download Attack Work?
Summarily, the drive by download attacks are achieved by:
- Injecting certain dangerous elements through the various portals of a website. It could be by cross-scripting using the open-end of java script code
- Taking advantage of the design loopholes of the target web application.
- Hiding the malware into the open end of the original service of the website – just as in basic social engineering attack. For instance, the attacker may offer users free PDFs or similar gimmicks.
- Opening a port of full penetration on the victim’s device when they fall for the bait and download the malware.
- Taking remote control of the victim’s private data.
- Using the victim’s data to access other targets (these are usually bigger and more complex targets)
As mentioned earlier, there are two major means by which these attackers gain access to the victims’ devices:
- Unsuspecting users give authorization without the proper knowledge of the implications. These sorts of attack are perpetrated using bait (it may be a fix to a made up problem).
- Victims are totally unaware of and are not notified about the existence of any malware. This is the primary mode of operation of hackers that use drive by attacks.
To achieve the above, a series of operations are carried out by the hackers. These operations differ with the hacker’s preferred means of infiltration. Let’s check out the methodology of approach in the two instances.
Authorized Downloads Without Prior Knoweledge Of Full Implication
In this approach,
- The hacker develops some sort of vehicle to deliver the malware to the general user populace. This may be done through adverts, software applications. The method is simple; they infect a trusted website with the malware and use social engineering to bait the users. The unsuspecting user sees a bundle ware, a pop up, an advert, a security check notification and the likes. Bundle wares are the most used method of authorized drive by attacks. They are external programs that are attached to the original software the user wants to download.
These programs are capable of concealing the malicious program. On the other hand, they can also be corrupted applications themselves. Bundle wares are usually positioned in a manner that leaves the user little options other than giving download access to the malware. Common examples include applications that are strategically placed as opt out routes when users download another application or attempt to leave the website.
Furthermore, attackers use click baits, fake messages, security alerts, reward sites and other common phishing methods to lure the user to the site of malware download. All these are executed under the guise of legitimacy.
- The hacker then proceeds to hijack control to all of the victim’s data, device control, and identity and information flow. After the users comes in contact with the malware delivery vector, interacts with it, and (whether advertently or inadvertently) gives it access to his or her computer device, this user automatically becomes vulnerable. Immediately the malware installs on a user’s device, the hacker automatically gains access to all of his or her private data and can easily use, alter or manipulate them at will. Very good hackers would effect this discreetly enough not to make the users or the administrator suspect criminal involvement.
Totally Unauthorized Malware Download
In this approach,
- The hacker leverages on the security inconsistencies of a website and plugs in the malicious software. They do this – in most cases – by editing the original line of code written by the developer. It is common knowledge that developer technology – like any other human designed creation system – has its own flaws. Hackers pinpoint which of the flaws are unique to specific applications and utilize that spot to insert the booby trap for unsuspecting users.
- In complex hacking, the attackers use certain software known as exploit skit. Exploit kids are basically designed to identify even the minutest security flaw in an application’s design and slip pass that flaw without getting noticed in any way. They achieve this by the same technology used in building most of the software - codes. The code’s major focus is to find the even the slightest defect in a pre-written code, explore it, exploit by using as the entry point for introducing the new code for the malware.
These kits cannot be escaped irrespective of the sophistication of the developer technology. Some security loopholes are often very hard to avoid, they are naturally bound to happen when a developer use certain kind of technology, these loopholes are described as Zero-exploits. They cannot be fixed but they can be managed to reduce attack susceptibility. Of course, not all security flaws are predetermined by the design system; known exploits are flaws that have their fixes figured out using the current strength of the cyber security space.
- The hacker only needs to compromise the web application in this case. The users naturally falls victim and are exposed to malware once they access the URL of the compromised site. The hacker then proceeds to hijack the data of the victim and use it as a means to whatever end they have in mind.
Types of Drive By Download Attack
They can be classified based on the levels of threat they pose to the website application or the users. These types include:
- The potentially unwanted program – This type of drive by download software attack does not pose any serious threat to the users of the web app’s service. This is less common and is often regarded as developers. In the worst case scenario, it could be an adware.
- The attacks loaded with malware
Different Types Of Payloads Delivered By Drive By Attack
These attacks are used to introduce a series of malwares into the victim’s computer. These include:
- Droppers – designed to introduce more malware in subsequent events
- Trojan Horse – for distant control and manipulation of the user data
- Man In the middle tools – that allows attackers to spy or and listen in on the communication between users and parties they share private data with
- Key loggers – used as a key to capture sensitive data especially passwords and pins
- Ransom wares – This allows the attackers to remotely destroy the victim’s data or encrypt it
- Botnet – These payloads are used mainly for DDOS attacks or in lateral movement of attack. This is basically done to target other websites, network system, computers or a central server via spam mails and unwanted traffic.
Ways Of Avoiding These Attacks
Protection against this sort of cyber-attack should come from two ends; the web developer or security administrator and the users.
On the part of the web developer or security administrator, they should ensure to:
- Update all the features/components of your website that may serve as entry point to external alteration. Examples include plug-ins, themes and so on.
- Make sure to remove any non-functional or outdated component of your web application. For instance, some components of websites become obsolete with evolution, as an admin be sure to remove them.
- Make sure the passwords to accounts as an administrator are strong enough, and be careful of hinting out or exposing the passwords.
- Use security software that allows you to monitor the activity and flow of data on your website. In addition to that you should use security firewalls to prevent exploitation of your web’s backend.
- Be on the lookout for adverts and the effect they may have on user privacy. Security should be a major factor of your ad control since it predisposes your website to being a vehicle for attacks.
On the part of the users of a web application, you should ensure to:
- Update your device OS and your web browser from time to time. These updates are most times likely to contain security patches and loophole fixes.
- Be careful of too many plug-ins and external software. The more of these you keep on your device, the more open you are to cyber-attacks generally
- Only install programs through your computer’s administrator account. That way, you are less likely to install an application without your knowledge and approval.
- Use software security solutions on your web browser. This software automatically detects malwares, call your attention and remove them from your device.
- Be careful of security messages you approve on the web. Be sure to read the conditions properly and understand the implications. In the event of skepticism (probably due to lack of clarity of these conditions), avoid clicking the popups.
- An ad blocker would do you great service by blocking out unwanted ads that may possibly be malware vectors.
These attacks are infamous for the total control they grant to cybercriminals. As a web developer or an administrator, you should try as much as possible to take your security detail seriously from a general point of view. After all, it is perpetrated using the conventional tricks of web loophole exploitation. Vigilance on the part of the users and the administrator is really all there is to it.
Subscribe for the latest news
Our recent webinar with the industry overview and product demo.
Solution brief on protecting apps and APIs with Wallarm.