With the increased number of drive-by attacks happening lately, I decided to investigate how these attacks work and what can be done to prevent them.
The way in which drive-by attacks work is simple. A hacker breaks into a website and edits the source code of the page to deliver malware to the user. Usually this works by the hacker creating their own web page and then loading that through an iframe on the site they broke into. This results in a subtle, but very effect method of attacking user’s machines as the iframe is normally hidden so the user doesn’t even see it.
The reason this is called a drive-by attack is because you are extremely unlikely to have noticed it happened. The most effective hackers will use a 0-day attack which often means that the malware is not present in anti-virus databases, so the only method of detection from an anti-virus is to rely on heuristic methods which detect unusual activity on your system. Experience has shown that this is extremely difficult to do and often these drive-by attacks go unseen.
The exploits used in most of these attacks target browser plug-ins as they are installed on almost every browser of every system. Popular plugins such as Flash and Java are installed on most new machines by default, and if they aren’t updated by the user then they become a common attack vector for hackers.
So that leads me to my question: what can we do about it?
More recent builds of Google Chrome come with a fantastic feature which enables you to disable plugins by default, and only allow them to play if you explicitly click them. Let’s look into how to turn that on. In the top right corner of your browser click the menu icon and go to settings (If you’re on Windows you can click Ctrl+, or Mac Command+,).
Next, at the bottom of the page click “Show advanced settings”.
Under the “Privacy” section click the “Content Settings” button and scroll down to the “Plugins” section. We want to change this setting to “Click to Play”:
Finally, click the “Manage exceptions…” button so that we can whitelist some sites that are most likely safe to run plugins on. I have added youtube like so:
Remember, when you add a site to this whitelist all plugins will run on it, so only add to this list if a site relies on a plugin to operate or it becomes really inconvenient having to click every time.
And that’s it! Enjoy browsing the web more safely and please give feedback in the comments or follow me on twitter.