This is Not a Drive-By

How do computers get viruses?  There are two prerequisites.  First, the computer has to be vulnerable to the virus, usually because the owner hasn’t kept it updated and/or installed antivirus software.  We’ll discuss that in a future update.  For now we’ll focus on the second prerequisite: someone or something needs to install the virus onto the vulnerable computer.  

 

Drive-by downloads

The most common way for attackers to accomplish this is through what’s called a “drive-by download”, which is when the attacker downloads malware onto your computer either without your knowledge or with your unwitting permission.  Once malware is loaded onto your computer, the attacker can use it to steal information, activate your camera and microphone, or attack third parties.

 

There are three primary ways that attackers can stage a drive-by download.  The first is through social engineering: tricking the user into clicking on a link or visiting a website that has been weaponized to download malware.  Maybe it’s an email pretending to be from a friend or from a store you do business with, or maybe it’s just an interesting looking article or survey on social media. Either way, once you click, you’re in trouble.

 

The second source of drive-by downloads is what’s called malvertising.  Most websites make their money by selling ads, and sites have differing levels of rigor in reviewing the ads they serve up.  It’s relatively easy for attackers to pay a few dollars to a website to “advertise” something, when in fact that advertisement will download malware to every vulnerable computer that visits the site.

 

Finally, attackers can plant malware on websites themselves.  Every image or calendar pop-up on a website could theoretically contain a script that an attacker has planted to download malware onto users’ computers.

 

What can you do?

 There are lots of things you can do to reduce the risk of drive-by downloads significantly.  

 

  • Be careful what sites you visit.  As a general (but not absolute) rule, major sites do a better job vetting advertisers and developing their sites in ways that make it hard for attackers to plant malware.  Don’t click on links unless you need to.  Clickbait sites (lists of 10 trivia facts, for example) are particularly troublesome: they depend on ad revenue for their existence, and as such aren’t careful about their ads.
  • Keep your anti-virus current and patch your machines often (or set them to auto-patch).  We take care of your FIT machines for you in the background, but your personal machines should be cared for as well.
  • Don’t jailbreak your phone, and only load apps from reputable app stores.  (If you don’t know what this is, good!)  It’s very hard for attackers to load malware on a phone that is running legit versions of the operating system using proper app stores. To learn more, please visit our post Keep your Data Private by Managing Permissions Like a Pro.
  • Don’t log on to your computers with accounts that have admin rights.  A lot of malware can’t install if the user isn’t an administrator of the computer.  We have been removing admin rights from most users at FIT, and our virus infection rates have gone down dramatically.  On personal computers, you can create an account for your daily use that is not an administrator, and create a separate account to use only when you need to install something.

While super-sophisticated attacks may avoid even the best defenses, those are actually rare.  In the vast majority of cases drive-bys can be prevented with a few basic steps.



About Cybersafe

The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit fitnyc.edu/cybersafe and stay tuned for emails from [email protected] for the latest from the Cybersafe campaign at FIT.

 

-Walter Kerner

Assistant Vice-President and Chief Information Security Officer