Breaking Down Drive-By Phishing Attacks
For the past decade, drive-by download attacks have been the bane of organizations’ IT department. These occur when adversaries place malicious Trojans inside seemingly innocuous websites in an attempt to infect any browser that opens them. If an employee doesn’t have a strong anti-malware software installed on his/her PC, he/she can be affected just by seeing the Web page.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Today, the threat has shifted to an even more dangerous avenue: phishing. A new class of drive-by phishing attacks have been discovered that affect users who merely view an email. If recipients have the preview pane activated, they don’t even have to open the email – they can get infected just by single-clicking the subject line.
How Drive-By Phishing Works
Just like a standard drive-by attack, these malicious email messages leverage JavaScript and HTML to distribute their payload. Because HTML display is rarely disabled in people’s email reading options, it’s easy for threat actors to find and victimize targets.
On most occasions, drive-by emails are received from senders unfamiliar to the recipient; however, they can come from trusted addresses as well. A trusted sender who has been infected can unknowingly start a chain of drive-by phishing attacks, resulting in a greater likelihood of recipients clicking on the link.
In addition, drive-by phishing attacks often show the following traits:
- The subject line shows incorrect grammar or spelling
- Senders “shotgun blast” a random group of recipients while failing to highlight anyone specifically. The lack of salutation in these emails is often a red flag
- Not constructive or subtle: these emails often fail to realize that they have intelligent professionals on the receiving end
Until now, phishing attacks via email have required specific actions on the part of the recipient, who is tricked into downloading a malicious attachment or opening a hacked website. These drive-by phishing attacks contain HTML exploits that eliminate manual steps by having JavaScript handle the infiltration instead. In most instances the script is obfuscated, which makes it more challenging for security experts to analyze the code.
Popular web browsers like Google Chrome and Firefox, as well as versatile antivirus solutions, will alert recipients when browsers open emails known to be malicious or compromised. But many drive-by phishing attacks infiltrate users in the preview pan” and thus do not get marked as harmful.
Real-World Examples
Drive-by phishing attempts were previously spotted in emails with the standard subject line “Banking Security Update” along with a sender’s address containing the domain “fdic.com.” If an email client doesn’t block the display of HTML messages, the HTML code is activated immediately. Unfortunately, while it is possible to view emails in plain text, it’s not always convenient (or even possible in some cases) to get incoming emails to open that way.
In another instance, IT consultant Dale Meredith identified an Uber-themed phishing email which asks recipients to change their passwords. Of course, it isn’t a legitimate request, but rather a trap that enables cyber-crooks to collect users’ real passwords. In this way, criminals can log into every account that shares the same email ID, for which the victim has reused their credentials.
One giveaway from at least one of the drive-by phishing attacks is a statement that Uber is working with its fierce rival Lyft.
When it comes to drive-by phishing, topicality is a time-tested technique. For adversaries, it’s one of the best things about context-based manipulation: Giving their scam a refresh only requires inserting in a couple of “taken from the current headlines” phrases.
How to Protect Yourself From Drive-By Phishing
Detecting drive-by phishing attacks is complicated and not for the irresponsible. It requires all aspects of an email to be analyzed in real-time for any malicious code they might execute if previewed/opened. However, the increasing volume of emails make it much difficult to detect whether a message is counterfeit or legitimate, and we must factor in that with IPv6 backlisting capability anti-spam solutions are going to become obsolete.
That said, taking certain steps can reduce risk exposure to drive-by phishing attacks.
1. Use Email Filters
The best way to prevent drive-by phishing attacks is to prevent the malicious email from reaching your inbox. This can be done by activating your email client’s spam filter. Spam filters can be activated to identify and prevent emails from suspicious sources from ever reaching your inbox.
2. Carefully Analyze the Subject Line
In most cases, drive-by phishing emails call for some sort of immediate action in the subject line. Therefore, make it a habit to review the subject lines of all incoming emails for any requests to act urgently.
3. Ignore Emails That Blatantly Ask for Confidential Information
Credit card companies, government agencies and loan providers generally do not send emails that link to a page which requires you to enter your account credentials. Delete such emails immediately and do not provide any information. Merely opening the site can result in an infection with a Trojan or virus.
4. Check The Spelling of the URL After @
Always check that the URL is legitimate and analyze it for spelling mistakes. Ensure that the URL is the one that is officially used by the company by comparing it with previous emails or with the address mentioned on the company's website.
Final Verdict
In today's complex technological and business landscape, it can no longer be the sole responsibility of security teams to keep enterprises secure. Technology will continue playing a vital role, but end users also need to be aware of the threats that can cause company-wide damage. Hence, your final line of defense against drive-by phishing attacks shouldn't be an antivirus solution, but an awareness that any type of email could contain malware.
See Infosec IQ in action
Sources
Malicious Email Downloads ‘Drive-by’ Virus Just by Clicking Open, The Blaze
In this Series
- Breaking Down Drive-By Phishing Attacks
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
