A lot of Exploit Kits (EKs) can be obtained commercially available on the darkweb. These are malicious code which can be embedded in a website. Many Exploit Kits are easy to use (even by those cybercriminals with little coding experience). They contain pre-packaged code that seeks to exploit out-of-date browsers, insecure applications, or vulnerable services, etc.
These are used primarily in ‘Drive-by Download’ attacks that target the visitors of a website. When a visitor browses to a site hosting an EK, the Kit uses all of its exploits to attempt to compromise the visitor’s system and install malware, including ransomware, etc. Cybercriminals constantly update their malware to evade detection.
A drive-by download attack refers to the unintentional download of malicious code to your computer or mobile device that leaves you open to a cyberattack.
These attacks can take advantage of an app, operating system, or web browser that contains security flaws due to unsuccessful updates or lack of updates. Unlike many other types of cyberattack, a drive-by doesn't rely on the user to do anything to actively enable the attack. You don't have to click on anything, you don't have to press download button, or you don't have to open a malicious email attachment to become infected.
How does Drive-by Download Attacks Happen?
In this type of attack cyber criminals rely on a relatively small and much more common vulnerability of HTML injection (sometimes referred to as persistent XSS) vulnerability. The attacker abuses the injection vulnerability to add some HTML code to the target application. That HTML code, when rendered by a victim’s browser would download the actual malware into the victim’s machine.Common HTML constructs used for this purpose are 'script elements' as well as 'iframe' elements that have their 'src' attributes pointing to the actual server holding the malware. Sometimes, an attacker would use a misleading popup window combined with a button on it to have the helpless victim explicitly invoke the download operation.
Most often, this tampering of website or web app, is not visually apparent to visitors, thus innocent victims are unaware of the background download operation. If any warning appears it is usually dismissed since victims believe it to be part of the original application. The malware is usually Trojan horse software that takes control of the victim’s machine, making it part of a larger botnet.
Another the most common method employed so far by hackers to launch drive-by-download attacks is the use of SQL injection. Attackers would craft a SQL injection attack that actually injects HTML code into database rows and columns that are later used in the construction of the applications HTML pages.For example, in a forum application where user posts as well as user details are kept in a database an attacker can infect the forum with malicious HTML code. All posting records as well as the names of the users who made the posts are in jeopardy.
Third-party components used in Websites may also act as a conduit of drive-by-download attacks. A Website may reference a widget without knowing that the specific widget contains, either intentionally or not, malicious script. A large number of such vulnerabilities are frequently found in the components/plugins for Wordpress, Joomla, Drupal, etc… Another example is that of advertisements which contain some malicious code. Once the victim’s browser fetches the advertisement, it unknowingly also fetches the corresponding attacker’s code, as was the case for Major League Baseball’s website in early 2009. Hiding such defective code within advertisements has become common enough practice to earn the nickname “Malvertisements“.Drive by downloads are designed to breach your device for one or more of the following:
-
Hijack your device — to build a botnet, infect other devices, or breach yours further.
-
Spy on your activity — to steal your online credentials, financial info, or identity.
-
Ruin data or disable your device — to simply cause trouble or personally harm you.
Without proper security software or fixes for your vulnerabilities, you could become a victim of a drive by download attack.
How Web Administrators Can Prevent Drive by Downloads Attacks?
As a website administrator/owner, you are the first line of defense between hackers that target your users. To give yourself and your users peace-of-mind, strengthen your infrastructure with these tips:
-
Keep all website components up to date. This includes any themes, addons, plugins, or any other infrastructure. Each update likely has new security fixes to keep hackers out.
-
Remove any outdated or unsupported components of your website. Without regular security patches, old software is perfect for frauds to study and exploit.
-
Use strong passwords and usernames for your admin accounts. Brute force attacks give hackers an almost instant break-in for default passwords, or weak ones like “password1234.” Use a password generator alongside a password manager to stay safe.
-
Also change the default URL to access 'Administrative' interface. It will prevent so many brute-force attacks to happen.
-
Install protective web security software into your site. Monitoring software will help keep watch for any malicious changes to your site’s backend code.
-
Consider how your advertisement use might affect users. Advertisements are a popular vector for drive by downloads. Be sure your users aren’t getting recommended suspect advertisements.
Let us consider a real-life and very powerful Drive by Download attack which has just been reported by Microsoft on 10-Dec-2020.
A persistent malware campaign has been actively distributing an evolved browser modifier malware at scale since at least May 2020. At its peak in August, the threat was observed on over 30,000 devices every day. The malware is designed to inject ads into search engine results pages. The threat affects multiple browsers—Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox—exposing the attackers’ intent to reach as many Internet users as possible.
We call this family of browser modifiers Adrozek. If not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines. The intended effect is for users, searching for certain keywords, to inadvertently click on these malware-inserted ads, which lead to affiliated pages. The attackers earn through affiliate advertising programs, which pay by amount of traffic referred to sponsored affiliated pages.
IMPORTANT:
The given graphics show the glimpse of the working of this attack. Kind spend a little time to reflect upon!
Guys, what is your considered opinion about Drive by Download attacks?
Please let me know your thoughts in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM