Not all threats online require you to actively download something. Some websites are designed — or have been compromised — to deliver malware to your device simply by visiting them. Understanding how this works can help you stay protected.
How Malware Is Distributed via Websites
Drive-By Downloads
This is the most concerning type. Malicious code on a page exploits browser or plugin vulnerabilities to automatically download and install malware — without any interaction from the visitor. Outdated browsers and plugins are most at risk.
Malicious JavaScript
Attackers can inject malicious JavaScript into compromised websites. This script may:
- Redirect you to a phishing site
- Mine cryptocurrency using your CPU (cryptojacking)
- Record keystrokes to steal passwords (keyloggers)
- Display fake alerts or pop-ups
Fake Software Downloads
A site presents a fake update for Flash, Java or your browser. Clicking the update button actually installs malware.
Malvertising
Even legitimate websites can unknowingly display malicious advertisements. The malware is in the ad network, not the website itself — this is known as malvertising.
Signs That a Website May Be Infected
- Your browser is redirected to an unexpected URL
- Excessive or unexpected pop-ups appear
- Your browser warns you about deceptive content
- The site asks you to install a plugin or update software
- Your antivirus alerts while browsing
How to Protect Yourself
- Keep your browser updated — most drive-by downloads exploit unpatched vulnerabilities.
- Use an ad blocker — reduces exposure to malvertising.
- Install security software — real-time web protection can block malicious sites.
- Disable unnecessary plugins — especially older ones like Flash or Java.
- Check HTTP headers — use our HTTP Header Checker to see if a site has security headers like Content-Security-Policy implemented.