
Anastasiya Novikava
Copywriter
Anastasiya believes cybersecurity should be easy to understand. She is particularly interested in studying nation-state cyber-attacks. Outside of work, she enjoys history, 1930s screwball comedies, and Eurodance music.
Endpoint security
Summary: Drive-by downloads install malware without user action, often through compromised websites or ads. Prevent attacks with software updates, ad blockers, and malware scanning.
A drive-by download attack can infect a device without a single click. For example, Cloak ransomware spreads through fake Windows updates by exploiting security flaws. Just visiting an infected website can trigger an infection.
Understanding how drive-by download attacks work is the first step in preventing them.
A drive-by download attack occurs when a user loads a web page that contains malicious code. No clicks are needed—just visiting the page is enough to trigger an unintentional download. Attackers use hidden scripts and exploit kits to take advantage of security flaws, leading to covert downloads of dangerous software.
Most victims don’t realize an attack has happened until malware installs and starts causing damage. Web pages with outdated third-party components are prime targets. Once the harmful code executes, it can quickly deliver download payloads to endpoint users. Even legitimate websites can be dangerous if compromised.
Threat actors design drive-by download attacks to exploit vulnerabilities in browsers, plug-ins, and outdated software. They begin by compromising a website or ad network, planting rogue code that waits for visitors.
Once a user loads the infected web page, the malicious script automatically scans for security weaknesses in the browser or any third-party software. If it finds a vulnerability, exploit kits take over, silently executing malware code and triggering a hidden download.
The malware installs in the background, often running unnoticed while it steals data or grants cybercriminals remote access. Since this entire process happens without user interaction, infections are difficult to detect before damage occurs.
Anyone browsing the web can be exposed to a drive-by download. However, certain users and organizations face higher risks:
Many drive-by download attacks happen through a silent download—when a user visits a breached website, and malicious code installs automatically. Keeping browsers updated and restricting third-party software can reduce the risk of malware downloads.
Malicious advertising networks, also known as “malvertising,” are a leading source of drive-by downloads. Threat actors inject harmful scripts into legitimate ad networks. When users load these ads, hidden code attempts to download malware. Even trusted websites can unknowingly serve these infected ads.
Cross-site scripting allows attackers to inject malicious scripts into an infected website. When users visit, the script triggers an unintentional download.
Exploit kits scan a visitor’s device for known vulnerabilities. Once they find one, they deliver a hidden script that installs harmful software.
Several large-scale attacks highlight how destructive drive-by download attacks can be:
2016 malicious ads on major news sites
In March 2016, attackers compromised ad networks on sites like The New York Times, BBC, and AOL. Just loading these pages exposed users to hidden scripts. Exploit kits, including Angler, scanned for browser vulnerabilities and silently installed ransomware—no clicks needed.
2016 Chrome on Fedora drive-by download attack
In November 2016, researcher Chris Evans revealed how Chrome’s auto-download behavior and Fedora’s unsandboxed “Tracker” tool enabled silent malware infections. Chrome downloaded files without asking, and Fedora’s Tracker indexed them automatically. This let attackers execute malicious code without user action. Gstreamer, Fedora’s preview tool, had security flaws that made the attack even easier.
SocGholish (FakeUpdates) malware campaign
SocGholish, also called “FakeUpdates,” spreads through infected websites. Users see fake update prompts for browsers or Flash Player. Clicking downloads malware silently. Once inside, it can deliver ransomware, steal data, or open backdoors for future attacks.
Attackers rely on external components, ad networks, and security weaknesses to spread their malware quickly, catching even well-secured organizations off guard.
Preventing these attacks requires a layered security approach. Here’s what helps:
Strong security policies and real-time monitoring help reduce the risk of unintentional downloads.
NordLayer offers advanced security tools to protect against drive-by download attacks. Its real-time malware protection scans files before they reach your system. If it detects a threat, it blocks the file before an infection can occur.
Key features include:
NordLayer also encrypts traffic, keeping data safe whether employees work on-site or remotely. Adding its Download Protection feature gives organizations an extra layer of defense against stealthy cyber threats. Learn more about real-time malware protection at the link above.
Subscribe to our blog updates for in-depth perspectives on cybersecurity.