Breaking Down Drive-By Phishing Attacks

October 29, 2018 by Dan Virgillito

For the past decade, drive-by download attacks have been the bane of organizations’ IT department. These occur when adversaries place malicious Trojans inside seemingly innocuous websites in an attempt to infect any browser that opens them. If an employee doesn’t have a strong anti-malware software installed on his/her PC, he/she can be affected just by seeing the Web page.

Today, the threat has shifted to an even more dangerous avenue: phishing. A new class of drive-by phishing attacks have been discovered that affect users who merely view an email. If recipients have the preview pane activated, they don’t even have to open the email – they can get infected just by single-clicking the subject line.

How Drive-By Phishing Works

Just like a standard drive-by attack, these malicious email messages leverage JavaScript and HTML to distribute their payload. Because HTML display is rarely disabled in people’s email reading options, it’s easy for threat actors to find and victimize targets.

On most occasions, drive-by emails are received from senders unfamiliar to the recipient; however, they can come from trusted addresses as well. A trusted sender who has been infected can unknowingly start a chain of drive-by phishing attacks, resulting in a greater likelihood of recipients clicking on the link.

In addition, drive-by phishing attacks often show the following traits:

  • The subject line shows incorrect grammar or spelling
  • Senders “shotgun blast” a random group of recipients while failing to highlight anyone specifically. The lack of salutation in these emails is often a red flag
  • Not constructive or subtle: these emails often fail to realize that they have intelligent professionals on the receiving end

Until now, phishing attacks via email have required specific actions on the part of the recipient, who is tricked into downloading a malicious attachment or opening a hacked website. These drive-by phishing attacks contain HTML exploits that eliminate manual steps by having JavaScript handle the infiltration instead. In most instances the script is obfuscated, which makes it more challenging for security experts to analyze the code.

Popular web browsers like Google Chrome and Firefox, as well as versatile antivirus solutions, will alert recipients when browsers open emails known to be malicious or compromised. But many drive-by phishing attacks infiltrate users in the preview pan” and thus do not get marked as harmful.

Real-World Examples

Drive-by phishing attempts were previously spotted in emails with the standard subject line “Banking Security Update” along with a sender’s address containing the domain “” If an email client doesn’t block the display of HTML messages, the HTML code is activated immediately. Unfortunately, while it is possible to view emails in plain text, it’s not always convenient (or even possible in some cases) to get incoming emails to open that way.

In another instance, IT consultant Dale Meredith identified an Uber-themed phishing email which asks recipients to change their passwords. Of course, it isn’t a legitimate request, but rather a trap that enables cyber-crooks to collect users’ real passwords. In this way, criminals can log into every account that shares the same email ID, for which the victim has reused their credentials.

One giveaway from at least one of the drive-by phishing attacks is a statement that Uber is working with its fierce rival Lyft.

When it comes to drive-by phishing, topicality is a time-tested technique. For adversaries, it’s one of the best things about context-based manipulation: Giving their scam a refresh only requires inserting in a couple of “taken from the current headlines” phrases.

How to Protect Yourself From Drive-By Phishing

Detecting drive-by phishing attacks is complicated and not for the irresponsible. It requires all aspects of an email to be analyzed in real-time for any malicious code they might execute if previewed/opened. However, the increasing volume of emails make it much difficult to detect whether a message is counterfeit or legitimate, and we must factor in that with IPv6 backlisting capability anti-spam solutions are going to become obsolete.

That said, taking certain steps can reduce risk exposure to drive-by phishing attacks.

1. Use Email Filters

The best way to prevent drive-by phishing attacks is to prevent the malicious email from reaching your inbox. This can be done by activating your email client’s spam filter. Spam filters can be activated to identify and prevent emails from suspicious sources from ever reaching your inbox.

2. Carefully Analyze the Subject Line

In most cases, drive-by phishing emails call for some sort of immediate action in the subject line. Therefore, make it a habit to review the subject lines of all incoming emails for any requests to act urgently.

3. Ignore Emails That Blatantly Ask for Confidential Information

Credit card companies, government agencies and loan providers generally do not send emails that link to a page which requires you to enter your account credentials. Delete such emails immediately and do not provide any information. Merely opening the site can result in an infection with a Trojan or virus.

4. Check The Spelling of the URL After @

Always check that the URL is legitimate and analyze it for spelling mistakes. Ensure that the URL is the one that is officially used by the company by comparing it with previous emails or with the address mentioned on the company’s website.

Final Verdict

In today’s complex technological and business landscape, it can no longer be the sole responsibility of security teams to keep enterprises secure. Technology will continue playing a vital role, but end users also need to be aware of the threats that can cause company-wide damage. Hence, your final line of defense against drive-by phishing attacks shouldn’t be an antivirus solution, but an awareness that any type of email could contain malware.


Malicious Email Downloads ‘Drive-by’ Virus Just by Clicking Open, The Blaze

Posted: October 29, 2018
Dan Virgillito
View Profile

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news. Visit his website or say hi on Twitter.