Drive-By Download Attacks are when an attacker can get a user to download software by simply visiting a website. The user only has to "drive-by" for the download to take place.
There are many channels for distributing drive-by downloads. Online advertising networks were once the most popular. An attacker would sneak a malicious ad into a ad network and it would be widely distributed by reputable, high-traffic sites. Starting around 2012, additional quality controls were put in place to make it more difficult. Sites which serve lower-quality ads with less quality control still exist. Often these begin with a pop-up window telling the user that a virus has been detected on their computer and offering to perform a free virus scan. Another popular way to bring in victims is to send out phishing emails with links to attacker-controlled websites.
The most dangerous type of distribution is from third-party websites which have been compromised by attackers and perform drive-by downloads on all of their visitors.
Once the exploit has been identified, it can use it to force the user's browser to download a malware "payload". The payload might display ads in the user's browser, make their computer part of a botnet, log keystrokes or steal credentials, hijack banking sessions, install ransomware, or install a backdoor to allow the attacker future access.
In March 2012, attackers created a plugin for use with WordPress blogs which secretly opened up any blog that installed it to malware infection. Any user visited an infected blog was redirected to an attacker-controller website. The malicious site first attempted a drive-by download using exploits for the Mac operating system. If the drive-by download failed, it displayed a screen asking the user to install fake Apple software (which also downloaded the same malware). The payload was malware which infected the user's browser and replaced any web ads on the page with ads which would make money for the attacker. (Relatively harmless considering what it could have done instead.) The attack was successful in infecting an estimated 600,000 Macs.
In February 2013, attackers compromised the NBC.com website and used iframes to serve drive-by downloads of the Citadel Trojan malware, which steals personal and financial information. While investigating and recovering from the security breach, they discovered that their web servers were also providing drive-by downloads of the ZeroAccess malware, which modifies search results to generate pay-per-click ad revenue.
Users should not be logged into their computers as admins. This is an example of the Principle of Least Privilege—a user does not need admin permissions for most tasks. By not being an admin, it limits the read, write, and execute permissions which are available to malware and limits any damage to the user account only.
Because drive-by downloads put viruses and malware on a computer, an anti-virus program can help to detect and neutralize the threat if the download succeeds.