eastbaycyber

What Is a Drive-By Download?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

A drive-by download turns ordinary web browsing into an attack path.

A drive-by download is a malware delivery technique where visiting a malicious or compromised website leads to harmful code being downloaded or executed on a device. In some cases, a drive-by download happens with little or no obvious user consent. In others, the site uses deceptive prompts to trick the user into launching malware that appears to be a normal update, document, or browser action.

If you are comparing related threats, it also helps to read what is malware and what is phishing, since drive-by downloads often overlap with broader malware delivery and social engineering tactics.

How a Drive-By Download Works

A typical drive-by download follows a sequence like this.

1. The User Reaches a Malicious or Compromised Page

The victim may arrive through:

  • a compromised legitimate website
  • malicious advertising, also called malvertising
  • poisoned search results
  • phishing links
  • forum or social media links
  • a watering hole attack targeting specific visitors

In many cases, the initial site looks normal enough that the user does not realize anything is wrong.

2. The Page Profiles the Browser or Device

Once loaded, the page may gather details such as:

  • browser version
  • operating system
  • installed plugins or extensions
  • language and region
  • device type
  • whether security tooling or virtual environments are present

This helps the attacker decide whether the target is likely to be vulnerable and what method to use next.

3. The Site Attempts Delivery

Drive-by download delivery usually falls into two broad categories.

Exploit-Based Delivery

The page attempts to exploit a vulnerability in the browser, plugin, or related component so code can run automatically.

This is the classic drive-by model: the victim loads the page and the exploit does the rest.

Deception-Based Delivery

The page presents a fake but convincing prompt, such as:

  • “Your browser is out of date”
  • “Click to update your video player”
  • “Install this document viewer”
  • “Click Allow to continue”
  • “Security threat detected, download the cleaner”

Here, the user is tricked into approving the next step, but the website visit is still the starting point of the malware infection.

4. Malware Runs on the Device

If the exploit or deception works, the attacker may install:

  • infostealers
  • banking malware
  • remote access trojans
  • ransomware loaders
  • cryptominers
  • downloaders that fetch additional payloads

Sometimes the first file is only a lightweight installer for a larger follow-on compromise.

5. Follow-On Activity Begins

Once the initial payload is active, the attacker may:

  • steal credentials
  • establish persistence
  • contact command-and-control servers
  • download more malware
  • move toward lateral movement or data theft

This is why a drive-by download is often just the beginning of the incident, not the end.

Silent Infection vs. Social Engineering

Not every drive-by download is completely silent.

Historically, the term often referred to web pages that exploited the browser in the background with almost no user interaction beyond loading the page. That still happens, especially when systems are unpatched.

But many modern drive-by scenarios depend more on social engineering than pure browser exploitation. A fake update banner or bogus CAPTCHA may do the work that a browser exploit once did.

Both patterns matter because both turn a routine browsing session into malware delivery.

Why Drive-By Downloads Are Effective

Drive-by downloads remain effective because web browsing is constant, normal, and hard to inspect manually at scale.

Attackers benefit from several realities:

  • users regularly visit unfamiliar sites
  • browser-based prompts can look routine
  • ad networks and redirects create indirect trust
  • one compromised site can expose many victims
  • patch gaps still exist in browsers and plugins

This makes drive-by downloads useful in both large-scale opportunistic campaigns and more targeted attacks.

When You’ll Encounter a Drive-By Download

Drive-by downloads usually appear in a few common security contexts.

During Malware Investigations

Analysts may suspect a drive-by download when the earliest evidence shows:

  • a user visited a suspicious or compromised site
  • a browser launched an unexpected child process
  • malware appeared immediately after a redirect or pop-up
  • a fake update installer was downloaded
  • browsing activity preceded credential theft or endpoint compromise

This is often how web-based malware delivery first becomes visible.

In Browser and Patch Management Discussions

Drive-by downloads are one reason organizations prioritize:

  • browser updates
  • plugin removal
  • operating system patching
  • restrictive software installation controls
  • reduced local administrator access

If the browser is part of the attack surface, patch discipline has a direct effect on exposure.

In Web Filtering and Secure Browsing Programs

The term also comes up when evaluating controls such as:

  • DNS filtering
  • secure web gateways
  • browser isolation
  • content filtering
  • ad and script controls
  • blocklists for known malicious domains

These defenses can help stop users from reaching malicious pages or reduce what those pages are allowed to do.

In Malvertising and Watering Hole Campaigns

Drive-by downloads are especially relevant when attackers compromise places victims are already likely to visit, including:

  • industry websites
  • partner portals
  • community forums
  • popular news sites
  • ad-supported pages

That makes the technique useful even without a direct phishing message.

How to Reduce the Risk of Drive-By Downloads

No single control stops every drive-by download, so defense works best in layers.

Practical steps include:

  • keep browsers and operating systems updated
  • remove unnecessary plugins and extensions
  • use DNS or web filtering
  • restrict unauthorized software installation
  • reduce local administrator privileges
  • train users to distrust fake update prompts
  • use endpoint detection and anti-malware tools
  • isolate risky browsing in higher-risk environments

For individuals and small teams, endpoint protection like Get Malwarebytes → can help detect malicious downloads or follow-on payloads, especially when a deceptive site succeeds in getting a file onto the system. It is not a replacement for patching and safer browsing controls, but it can add a useful defensive layer.

Bottom Line

A drive-by download is a web-based malware delivery method where visiting a page leads to malicious code being downloaded or executed, sometimes silently and sometimes through deception. For defenders, it is a reminder that routine web browsing is part of the attack surface and that browser hardening, patching, filtering, and endpoint protection all matter.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.