A drive-by download is exactly what it sounds like — malware that lands on your machine while you are simply driving by, scrolling through what looks like an ordinary web page. No download dialog. No "Are you sure?" prompt. No file you remember opening. You visited the page, the browser rendered it, and somewhere in those few seconds your computer was compromised.
Drive-by downloads are the silent half of the malware delivery world. The loud half — phishing emails, malicious attachments, fake software cracks — requires you to take an action: open the attachment, click the link, run the installer. Drive-by downloads need none of that. In their purest form, the browser's own rendering of the page is enough to trigger code execution on your system. They are the reason "I didn't click anything" remains the most common (and most truthful) statement from people who walk into our shop with brand-new infections.
This article covers what a drive-by download actually is, the two main categories that exist today, the technical anatomy of an attack, the most common modern delivery vectors (you'll be surprised which mainstream sites have hosted them), what gets installed when the attack succeeds, how to recognize you've been hit, and how to clean up afterwards. Both Windows and macOS are covered — drive-bys are not a Windows-only problem, despite that common misconception.
The legitimate-site problem. Most drive-by downloads in the past decade have not been hosted on shady-looking websites. They have been hosted by malicious advertisements ("malvertising") served inside ad networks on perfectly mainstream sites — major news outlets, weather portals, sports sites, recipe blogs, even the New York Times. Visiting a "safe" site does not mean safe content was rendered. The ad network is a third party that the host site does not control.
Threat Profile at a Glance
| Drive-By Download — Attack Profile | |
|---|---|
| Attack category | Browser-based malware delivery (client-side) |
| Required user action | Authorized variant: a single misleading click. Unauthorized variant: none — just visit the page. |
| Primary delivery vectors | Malvertising · compromised legitimate sites · fake software-update prompts · "ClickFix" social-engineering pages · poisoned search results (SEO poisoning) · malicious browser extensions |
| Platforms affected | Windows (PC), macOS, Linux, Android, iOS — every OS with a browser; payloads are platform-specific |
| Browsers historically exploited | Internet Explorer, Edge (Legacy), Firefox, Chrome, Safari — plus plug-ins: Adobe Flash, Java, Silverlight, QuickTime, PDF readers |
| Typical infection time | 2 – 10 seconds from page load to payload execution |
| Persistence after success | Same as any other malware — registry/launch-agent persistence, scheduled tasks, browser extensions, kernel drivers |
| Common payloads | Information stealers · ransomware · banking trojans · remote-access trojans · cryptominers · adware · botnet clients |
| Visible warning signs | Browser briefly redirects through unfamiliar domains · new tab opens and closes · sudden CPU/disk spike · browser becomes unresponsive for a few seconds · fake update prompt appears |
| Detection difficulty | High — modern drive-bys often complete with no visible artifact during the page load |
The Two Types of Drive-By Downloads
The term covers two technically distinct attacks that get lumped together because the user experience is similar — "I just looked at a website and got infected." Understanding the distinction matters because the defenses against them are different.
Authorized drive-by downloads
In an authorized drive-by, the user does click something — but they have been deceived about what they are clicking. The most common modern examples:
- Fake browser update prompts. A page renders a banner styled to look exactly like a Chrome, Firefox, or Edge update notification: "Your browser is out of date — click here to update." Clicking downloads an executable disguised as the browser installer. (Real browser updates never come through a web page — they happen silently inside the browser itself.)
- Fake Adobe Flash / video codec prompts. The page claims you need a missing codec to view the video. The "codec installer" is the malware.
- "ClickFix" attacks. A relatively new technique — the page shows a fake CAPTCHA or "verify you are human" challenge, then instructs the user to press Windows+R and paste a "verification code" that is actually a PowerShell command. The user themselves runs the malware, believing they are completing a CAPTCHA.
- Fake software downloads. SEO-poisoned search results for legitimate software ("download Notepad++," "download WinRAR") that lead to lookalike sites distributing trojanized installers.
Authorized drive-bys are social-engineering attacks dressed up as browser events. They do not exploit any browser vulnerability — they exploit the user. They work because they look identical to legitimate prompts users see all the time.
Unauthorized drive-by downloads
In the unauthorized variety, the browser itself executes the malicious code without any user interaction beyond loading the page. The attack chain looks like this:
- You navigate to a page (intentionally or because of an automatic redirect).
- The page contains JavaScript that fingerprints your browser, OS, and installed plug-ins.
- Based on the fingerprint, an exploit kit selects a vulnerability your specific browser configuration is known to have.
- A crafted payload is delivered that triggers the vulnerability — often a buffer overflow, use-after-free, or type confusion bug in the browser engine, the JavaScript JIT, or a plug-in.
- The exploit gains code execution inside the browser process, then escapes the browser sandbox (if there is one) and writes the actual malware payload to disk.
- The payload runs. You see nothing.
Unauthorized drive-bys are far less common today than they were in the 2010s. Modern browsers (Chrome, Firefox, Edge, Safari) are heavily sandboxed and aggressively patched, and the plug-in attack surface that powered the golden age of exploit kits — Flash, Java, Silverlight — has been almost entirely retired. But unauthorized drive-bys still occur, especially against users running outdated browsers, unpatched plug-ins, or end-of-life operating systems like Windows 7.
How Drive-By Downloads Are Delivered
The malicious page that triggers a drive-by has to reach the user somehow. There are five vectors that account for nearly every modern infection — most working at the same time as part of the same campaign.
1. Malvertising
The single largest drive-by delivery channel of the past decade. Malvertising works by inserting malicious ads into legitimate ad networks (Google Ads, Yahoo's Right Media, OpenX, and dozens of smaller exchanges). The ad bids on inventory on mainstream sites — news outlets, sports portals, weather pages — and is rendered to visitors as a normal-looking banner or video. When the ad loads, an iframe or script tag inside it silently navigates the browser through a chain of redirects ending at the exploit kit landing page. The visitor sees nothing change on the host site.
Major incidents include Yahoo (2014, served Angler EK ads for a week), Forbes (2016), the BBC, MSN, and the New York Times (2009 and 2016). The host sites were not compromised. Their ad networks were. Ad networks resell inventory across so many sub-tiers that the host site has effectively no visibility into who is actually rendering inside their ad slots.
2. Compromised legitimate websites
Attackers compromise the actual host site — usually by exploiting an outdated WordPress, Joomla, or Magento install, a vulnerable plug-in, or weak admin credentials — and inject malicious JavaScript into the page templates. Every visitor to the legitimate site is then automatically redirected through the attack chain. Common patterns:
- Magecart / web skimmers on e-commerce sites — injected JS captures credit card numbers at checkout. (Technically credential theft, not drive-by malware, but lives in the same playbook.)
- SocGholish (also called FakeUpdates) — JavaScript injected into compromised WordPress sites that displays a fake browser update prompt to visitors. Active continuously since 2018.
- NDSW/NDSX — a long-running JS injection campaign affecting tens of thousands of WordPress sites, redirecting to scam pages and malware downloads.
3. Fake update / "ClickFix" social-engineering pages
The hottest trend of 2023–2025. Instead of trying to exploit a browser vulnerability (hard, patched within days), attackers create pages that look like a system or browser prompt and rely on the user to execute the malware themselves. The classic SocGholish prompt looks identical to a Chrome update banner. The newer ClickFix attack shows a fake Cloudflare CAPTCHA, fake "verify you are human" challenge, or fake "this page is having problems" dialog with step-by-step instructions to "fix" it that involve opening Windows Run and pasting a command. The command is invariably a PowerShell one-liner that downloads and executes the malware.
Rule of thumb. Real software updates never instruct you to open a terminal, the Run dialog, or PowerShell. Real CAPTCHAs never give you keyboard commands to run. If a web page is asking you to press Windows+R and paste anything, close the tab immediately. It is malware delivery, regardless of how legitimate the page looks.
4. SEO poisoning
Attackers create hundreds of pages optimized to rank for searches like "free PDF reader download," "download WinRAR free," "Notepad++ download," or specific software-name + crack queries. The pages either rank organically through aggressive SEO or appear in paid ads (Google Ads-served malvertising results that look indistinguishable from the legitimate top result). Clicking the result leads to a lookalike site distributing trojanized installers. This is how most current STOP/Djvu ransomware infections begin.
5. Malicious browser extensions
An extension installed from the official Chrome Web Store or Firefox Add-ons store can, after gaining users, push an update that injects malicious content scripts into every page the user visits. The extension itself becomes the drive-by delivery mechanism. Notable cases include "The Great Suspender" (sold to a malicious owner in 2021) and the "Cashback Helper" / "PDF Toolbox" cluster of 2023, which together had tens of millions of installs.
Exploit Kits — Then and Now
An exploit kit is a server-side toolkit that automates the unauthorized drive-by attack chain — fingerprint the visitor, select the best exploit, deliver it, hand off to the payload of the operator's choice. They are sold or rented to malware operators who want delivery infrastructure without having to build it themselves. The kits are not malware in their own right; they are the wholesalers of malware delivery.
| Exploit Kit | Active Period | Primary Targets | Status |
|---|---|---|---|
| Blackhole | 2010 – 2013 | Java · Flash · IE · PDF reader | Inactive (operator arrested 2013) |
| Angler | 2013 – 2016 | Flash · Silverlight · IE | Inactive (operators arrested as part of Lurk takedown) |
| Magnitude | 2013 – present (low volume) | IE · Flash · later Edge Legacy | Niche — targets specific Asian victims |
| Rig | 2014 – present | IE · Flash · Silverlight | Declining — IE/Flash retirement gutted its targets |
| Neutrino | 2014 – 2017 | Flash · IE · Silverlight | Inactive |
| Fallout | 2018 – 2019 | Flash · IE · VBScript engine | Inactive |
| Underminer | 2017 – 2020 | IE · Flash · CVE-2018-8174 | Inactive |
What you'll notice: every column lists Flash or Internet Explorer. The exploit-kit business model depended almost entirely on browser plug-ins that ran outside the browser sandbox. When Adobe end-of-lifed Flash (December 2020), Microsoft retired Internet Explorer (June 2022), and Java's browser plug-in was removed by every major vendor (2017–2019), the technical foundation of unauthorized drive-bys collapsed. Today's exploit kits exist as low-volume operations targeting niche legacy browsers (typically older Internet Explorer on unpatched Windows 7 systems still common in some industrial and Asian markets).
The shift is what made authorized drive-bys — SocGholish, ClickFix, fake updates — the dominant model. Trick the user is easier than break the browser.
What Actually Gets Installed
The drive-by is the delivery mechanism, not the malware. The final payload is whatever the operator chose to push that day — and operators often run multiple payloads in sequence so that even if one is detected, others have already finished their work. Common payload categories:
Information stealers
RedLine, Lumma Stealer, Vidar, Raccoon Stealer, StealC. These are small (sub-1MB), fast (complete in seconds), and harvest every credential they can find: browser-saved passwords, cookies, autofill data, crypto wallet seed phrases, Discord/Telegram tokens, FTP creds, VPN configs, SSH keys, and saved Wi-Fi passwords. They exfiltrate immediately and exit. By the time anything else happens on your machine, your credentials are already up for sale on an underground forum.
Ransomware
STOP/Djvu, LockBit affiliates, BlackCat, Conti (now defunct), and dozens of smaller operations. Often arrives bundled with an info-stealer that runs first — so even if the ransom is paid and files restored, the credential theft has already occurred.
Remote-access trojans
NetSupport RAT (commonly delivered by SocGholish), Cobalt Strike beacons, AsyncRAT, Quasar. These give the operator hands-on access to your machine — they can browse files, capture screens, log keystrokes, and use your machine as a launchpad for attacks against the rest of your network.
Banking trojans
Qakbot (Qbot), IcedID, Trickbot (mostly retired), Emotet (returned 2022). Wait for you to log into a bank or payroll system, then either steal credentials or transparently inject themselves into the session to redirect transfers.
Cryptominers
XMRig (Monero) is the most common. Lower-impact than the other categories — your machine just runs hot and slow forever — but trivially profitable for operators, so it has become the default "filler" payload on infections where nothing else more valuable can be extracted.
Botnet clients
Adds your machine to a botnet (Glupteba, Andromeda, ZeroAccess historically). The operators rent out your bandwidth, IP reputation, and computing resources to other criminals.
Yes, Macs Get Hit Too
A persistent myth: drive-by downloads are a Windows problem. They are not — but the macOS attack surface is shaped differently. macOS users are rarely the target of pure browser-exploit unauthorized drive-bys (the volume is too low to be profitable), but they are heavily targeted by authorized drive-bys — fake update prompts, fake Flash installers (still!), and trojanized download portals.
Common macOS payloads delivered via drive-by:
- Shlayer / Bundlore. The most widespread macOS malware in history, primarily delivered as fake Adobe Flash installers. Even after Flash was retired, the "you need to install Flash to watch this video" prompt continued to lure macOS users into running the installer. Shlayer drops adware (Pirrit, AdLoad, Cimpli) that floods the system with browser-injected ads and search hijacking.
- AdLoad. Adware that installs as a malicious launch agent and Safari extension. Routinely modifies search settings, injects ads, and persists through OS updates. Apple finally added baseline detection in macOS 13 — older versions remain wide open.
- Atomic macOS Stealer (AMOS) and KeySteal. Modern macOS-targeted info-stealers. Delivered via fake-app installers on poisoned-search-result sites. Harvest Keychain entries, browser passwords, and crypto wallets.
- OSX/Dok (older). A trojan that delivered a self-signed installer through malicious PDF attachments and trick installers — once granted admin password, installed a man-in-the-middle proxy for browser traffic.
macOS's Gatekeeper and notarization requirements raise the bar but do not eliminate the threat. Attackers steal or buy valid Apple Developer IDs to sign their malware, then ride the resulting blue-checkmark trust until Apple revokes the certificate (typically days to weeks later — long enough to infect everyone who runs it during that window).
Warning Signs You've Been Hit
Most drive-by infections give some sign during or shortly after the attack — but they are subtle and easily missed if you're not watching for them. The most reliable indicators:
- Browser briefly redirected through unfamiliar domains. Watch the URL bar during a page load — if it flashed through one or two domains you didn't expect before landing on the page you intended to visit, that's the chain of redirects to the exploit kit.
- A new browser tab opened and immediately closed. A common technique — the malicious payload opens a tab to a delivery URL, completes its work, then closes the tab.
- CPU or disk spiked for a few seconds after page load. Especially noticeable on a quiet machine. Open Task Manager (Windows) or Activity Monitor (macOS) and watch for an unfamiliar process spiking right after the suspicious page.
- Browser became unresponsive briefly during page load. A symptom of an exploit firing in the background.
- Fake update or CAPTCHA prompt appeared. If you saw one and clicked it (or followed its instructions), assume infection until proven otherwise.
- New browser extension you don't remember installing. Check your extension list — drive-bys sometimes install Chrome/Firefox extensions as their persistence mechanism.
- Saved passwords are being used without your knowledge. If you start getting "new sign-in detected" emails from accounts you haven't logged into recently, an info-stealer has already exfiltrated your credentials.
- Random pop-ups, search redirects, new toolbars. Classic adware symptoms — common on macOS as the visible Shlayer/AdLoad payload.
- Fan running constantly, machine hot, performance crashed. Cryptominer payload running in the background.
If You Think You've Been Hit — Cleanup Steps
The drive-by mechanism is gone after you close the browser tab; what you are actually cleaning up is whatever payload the drive-by installed. The exact steps depend on which payload landed — but a defensive cleanup that covers the common cases:
Disconnect from the network
Unplug Ethernet and disable Wi-Fi. Stops any active info-stealer mid-exfiltration and prevents the payload from reaching its C2 again. Leave it disconnected for the rest of the cleanup.
Close all browser windows and clear cached pages
Quit the browser fully. In Chrome / Edge / Firefox: clear browsing data → "All time" → cache and cookies. This removes any service workers or cached payload that could re-trigger on next launch. On Safari: Develop menu → Empty Caches, then Safari → Clear History → all history.
Review installed browser extensions
Open each browser's extension management page (chrome://extensions, about:addons, Safari → Settings → Extensions). Disable anything you do not specifically recognize and use. Drive-by infections frequently install extensions as persistence.
Check for new startup items / launch agents
Windows: open Task Manager → Startup tab, and Task Scheduler → Library. Disable / delete anything created near the time you visited the suspicious page that you do not recognize. macOS: System Settings → General → Login Items, plus check ~/Library/LaunchAgents/ and /Library/LaunchAgents/ for unfamiliar .plist files.
Run a full Malwarebytes scan
Download Malwarebytes from a clean machine if your browser is unreliable. Run a full Threat Scan (not the quick scan). Malwarebytes' database covers the bulk of common drive-by payloads on both Windows and macOS. Quarantine and remove everything flagged.
Run a second-opinion scanner
On Windows: HitmanPro or Emsisoft Emergency Kit. On macOS: KnockKnock by Objective-See (free, shows everything that persistently runs on your Mac — invaluable for spotting unfamiliar launch agents).
Check the hosts file
Some payloads (notably STOP/Djvu) modify the hosts file to block security-vendor domains. Windows: %WINDIR%\System32\drivers\etc\hosts. macOS: /etc/hosts. Should be near-empty in default form. Remove any entries pointing security vendors, news sites, or update servers to 0.0.0.0.
Reset browser settings
Each browser has a "reset to defaults" option that clears custom search engines, homepage hijacks, and policy overrides. Use it. (Chrome: Settings → Reset settings. Firefox: Help → Troubleshooting Information → Refresh Firefox. Edge: Settings → Reset settings. Safari: there is no single reset — manually clear extensions, history, and content blockers.)
Change every saved password — from a different device
This is the most important step. Assume any password your browser had saved was exfiltrated within seconds of the infection. From a clean phone, tablet, or known-good computer: change passwords for email, banking, social media, cloud storage, work accounts, and anything with payment info. Enable two-factor authentication everywhere it is offered. Revoke active sessions in each account's security panel.
Reboot and verify
Reboot, then re-run both scanners. Watch network activity (Resource Monitor on Windows, Activity Monitor → Network on macOS) for any process making connections you can't explain. Verify Task Manager / Activity Monitor shows nothing eating CPU at idle (a sign a miner survived).
When in doubt, bring it in. The above covers common drive-by payloads. Less common ones — kernel-mode rootkits, UEFI bootkits, persistence through valid signed services — require deeper analysis with forensic tools that aren't end-user-friendly. If after the steps above you still suspect something is wrong, or if the payload was ransomware or a banking trojan, get the machine professionally examined before resuming normal use.
Prevention
The good news: drive-bys are dramatically easier to prevent than to clean up. The combination of measures below stops virtually every infection vector in current use:
- Keep your browser and OS fully patched. Modern Chrome, Firefox, Edge, and Safari fix browser-engine bugs within days of discovery. Unauthorized drive-bys only work against unpatched systems. Enable auto-updates and don't postpone them.
- Use a content blocker or ad blocker. uBlock Origin (free, all major browsers) is the gold standard. Beyond removing ads, it blocks the third-party scripts and ad-network domains that deliver malvertising in the first place. This single browser extension is more effective than most paid security suites at preventing drive-bys.
- Disable JavaScript on untrusted sites. Drastic but effective. Tools like NoScript (Firefox) and the built-in site permissions in Chrome / Edge let you allowlist JS only on sites you trust. The web becomes less convenient but dramatically safer.
- Run modern endpoint protection. Windows Defender on Windows 11 is genuinely good and free; XProtect + Malwarebytes is a reasonable macOS pair. Behavioral detection catches payload execution even when the initial drive-by slips through.
- Use a password manager — not browser-saved passwords. Info-stealers harvest browser-saved passwords trivially. Standalone password managers (1Password, Bitwarden, Dashlane) require a master password that is not stored on the system in unlockable form.
- Enable two-factor authentication on everything important. Stolen passwords are useless to attackers if there's a second factor blocking login.
- Never run commands a webpage tells you to run. No legitimate site will ever ask you to press Windows+R, open Terminal, paste a PowerShell command, or perform manual "verification" steps. If you're asked, the page is malicious — close it.
- Update from inside the app, never from a web prompt. If Chrome needs an update, Chrome will tell you from inside Chrome. If Adobe Reader needs an update, it'll prompt you from the Reader itself. A web page telling you to update something is, with very few exceptions, lying.
- Use a non-admin account for daily use. On Windows, run as a Standard User and elevate only when needed. On macOS, the default is similar — but if you have an admin account, consider creating a non-admin daily-driver account.
- Back up regularly with the 3-2-1 rule. 3 copies, 2 different media types, 1 offsite or disconnected. The drive-by that gets through despite everything is dramatically less damaging if your data is recoverable from backup.
Our 90-Day Warranty covers every malware removal. If anything we cleaned up returns within 90 days of our service, we come back and clear it at no charge. That guarantee is in writing on every invoice — and yes, it covers re-infections that came in through a drive-by.
Bring Your Device to Computer Repair Roswell
Drive-by cleanups are one of the more deceptive jobs in the shop. The malware mechanism that put the infection on the machine is already gone — you can't disable it because you never enabled it. What we're really doing is identifying which of several common payloads landed, hunting down every component, and helping the customer rotate every credential the machine had access to. Often the customer's first reaction is "I didn't do anything wrong, I just visited a regular website" — and they're right. That's exactly how drive-bys work.
If you suspect a drive-by infection — saw a suspicious page, watched the URL bar flash through redirects, got a fake update prompt, or just noticed your machine running hot and slow without explanation — disconnect from the network, write down what site you were on when it happened, and bring the machine in or submit a request below. Our certified technicians do this work every week.
Our shop is in Roswell and serves all of North Atlanta — Alpharetta, Sandy Springs, Marietta, Johns Creek, Milton, Dunwoody, and beyond. Walk-ins welcome, or submit a repair request and we'll respond within the hour.
Think You Picked Something Up From a Webpage?
Our certified technicians handle drive-by infections every week — both Windows and Mac. Free diagnostic. No fix, no fee.