A MALWARE is any malicious code that is executed on a victim’s device with various payloads, corresponding to its objectives: banking trojans, keyloggers and backdoors, ransomware, file infectors, network worms, data miners or bots that are making your device part of a large botnet.
In this case we are referring to drive by download and install of malware by e-mail and here the infection vector is always an unsolicited message conducting to Drive-by Downloads of malware via malicious URL-s. This attack vector, that is very similar to phishing attacks, is using the social engineering with the objective to trick the user to click on malicious URL-s contained in the message, leading to the download of the malware or some of its components. The social engineering technique is very important and has various formats:
Messages coming from social networks pretending to validate your account, or inviting you to see a new post or a new photo. Most used networks are Facebook and LinkedIn, but also dating and socialization platforms like Snapchat, Match, OkCupid, EliteSingles, GetItOn, Passion.com or FriendFinderX.
Messages that come apparently from retail chains, e-tailers or special offers and discounts platforms, pretending to offer a special offer for a limited time, or limited stock.
Messages pretending to come from attractive women in the nearby, or from Russia, China, Japan etc. looking for a sentimental relationship and inviting to see their profile or photos.
Messages coming from your bank or other known bank claiming that they want to validate your account, or that you have received a money transfer, or that there have been some unusual transactions performed from your account.
The malicious URLS, in any of these cases, lead you to websites containing infected web objects that are modified Java scripts, ActiveX, Download&install plugins or even more sophisticated tools. In this case the user has little interaction, the attackers taking advantage of the user naivety but also of vulnerabilities in various applications we are using daily: browsers, Java machine, Adobe Flash Player or Reader etc. When the user interaction is needed the webpages are displaying messages that inform you that a browser extension or add-on needs to be installed, or that there is a software that is needed to visualize some active content and is missing. In some cases, the attack is so advanced that the executable is very similar in name and is eventually signed with a certificate that is either fake or expired, or even a valid certificate.
Prevention Tips and Advice
Although the sophistication and creativity of the attackers is considerable, there are several simple tips that you may consider to avoid most of the trouble that may be caused by the installation of malware by the “Drive by” methods:
Treat cautiously the unsolicited messages and as a rule of thumb, don’t open them unless you are certain 100% that they are legitimate.
If you receive unsolicited messages pretending to come from social networks informing you about a new post of photo, you can access the respective social networks by using their mobile apps or by manually TYPING their address in the browser and entering that way, avoiding clicking on URL-s in messages.
When you receive special offers from retailers, validate them in browser by manually entering your account and checking whether they are real.
All the messages coming from your bank or other financial services should be taking care with special attention. Please use as much as possible the manual access in a secure browser instance, in place of clicking on URL-s or checking e-mail attachments.
When you receive messages containing URL-s you can always check the URL structure and real Internet address at mouse over (when you pass with the mouse over it). Be careful as the attackers are using very similar names or trick you by using numbers (ex: Cit1Bank, or Micros0ft, or Gogle/Gooogle, or Aple, or 1NG Bank). Also, be careful at the URL structure – for example, while https://authentication.mybank.com is a subdomain of MyBank, a construction like https://authenticationservice.com/MyBank/ is a subdomain of authenticationservice.com.
Please maintain your browser and its extensions and add-ons permanently up-to-date from their respective official sources. Please don’t trust all the messages asking you to download add-ons and other executables and never use the RUN option, better download and scan the file instead. If a page is telling you that you need to install an add-on or browser extension, please try to get the original file from their official vendor and check whether they are signed and the certificate is valid.
There’s no reason to postpone training your employees
Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.