A drive-by download is when a malicious web site you visit downloads and installs software without your knowledge. The objective of drive-by downloads is usually to install malware to record what you type and what sites you visit, to search your computer for stored passwords, or to open your computer to remote control. This is currently the most prevalent threat, and one that is hard to guard against.
Drive-by download’s are often, though not always, found on sites that could be labeled more promiscuous (gambling, gossip, or other less savory topics). That said, even otherwise legitimate sites can be hijacked into hosting drive-by downloads with third-party ads; Expedia.com and Rhapsody.com both learned this the hard way in 2008. See Internet Safety is Our Shared Responsibility.
Google reported, in 2007, one in ten Internet sites hosted a drive-by download. In 2008, Sophos (a major antivirus vendor) estimated that 6,000 newly infected sites appear every day.
Modern browsers take several defensive steps against drive-by downloads. Most will prominently warn of executable programs and offer a safe course of action. Even with these aids, it’s important to be wary of any site offering to download or run something you haven’t consciously selected.
Some browsers will refuse to directly execute software received while browsing, instead forcing you to save it to your hard drive, to be examined by an antivirus program. When this is the case, if you attempt to run that program later, even after you’ve finished browsing, you may be prompted with stern warnings about untrustworthy content.
One common configuration makes drive-by downloads particularly effective at introducing hostile software: using the web when you are logged into your computer as an administrator. If you can install software applications, modify your computer’s configuration, or perform administrative functions (create accounts, change passwords other than your own, monitor system and network activity, etc.), then you’re logged in as an administrator. This means anything run during your web browsing session will have the same privileges on your computer as you do.
Using the web without administrative rights greatly reduces both the risk of a successful drive-by download, as well as the potential damage should one succeed. Learn how to manage administrative rights:
Look for https://
Any site asking you to transmit personal information, such as credit card numbers, should always have a URL starting with https:// (note the s), rather than http://. If it does not have the s, what you send over the network is not encrypted. Don’t do business there. Of course, just because a site uses encryption does not guarantee it is secure. It’s still possible that the entire site is a scam.