Website Infections: How They Happen

TL;DR

Yes, a website can infect your computer without you actively downloading anything. This happens through vulnerabilities in your browser, plugins (like Flash used to), or operating system. Keeping everything updated is the best defence.

How Websites Can Infect Your Computer

1. Exploiting Browser Vulnerabilities: Web browsers are complex software. They sometimes have security holes (vulnerabilities). Attackers can write malicious code that takes advantage of these holes to run harmful programs on your computer just by visiting a compromised website.
   • What happens? The attacker’s code executes in the browser, potentially installing malware, stealing data, or redirecting you to other dangerous sites.
   • How to protect yourself: Keep your browser updated! Updates often include fixes for these vulnerabilities. Most modern browsers update automatically, but check your settings.
2. Drive-by Downloads: This is where malware downloads and installs without your explicit permission.
   • How it works: A website contains hidden code that attempts to download and run malicious software on your computer when you visit. This often exploits vulnerabilities in plugins or the operating system.
   • Plugins are key: Older versions of plugins like Adobe Flash Player were common targets. Disable or remove outdated plugins. Most browsers have blocked Flash entirely now, which is a good thing!
3. Malicious JavaScript: Websites can use JavaScript to run code on your computer.
   • What happens? Attackers inject malicious JavaScript into websites (often through compromised content management systems like WordPress). This script can attempt to exploit browser vulnerabilities or redirect you to phishing sites.
   • Browser security settings: Most browsers have some level of protection against malicious scripts, but it’s not foolproof. Consider using a browser extension designed to block trackers and malicious scripts (see Step 5).
4. Cross-Site Scripting (XSS): This is a type of vulnerability where attackers inject malicious code into legitimate websites.
   • How it works: If a website doesn’t properly sanitize user input, an attacker can insert JavaScript that will be executed by other users who visit the site.
   • User-facing impact: XSS attacks often steal cookies or redirect you to malicious websites. This is less about infecting your computer directly and more about stealing your identity or account information.
5. Phishing Websites: While not a direct infection, phishing sites trick you into entering your credentials (username/password) which can then be used to access your accounts.
   • How it works: Attackers create fake websites that look identical to legitimate ones. They send emails or messages with links to these fake sites.
   • Spotting phishing: Look for subtle differences in the URL, poor grammar, and requests for sensitive information. Always type the website address directly into your browser instead of clicking a link.

Steps to Protect Yourself

1. Keep Your Software Updated: This is the most important step! Update your operating system, web browsers, and plugins regularly.
   • Windows Updates: Regularly check for and install Windows updates.
   • macOS Updates: Keep macOS updated through System Preferences > Software Update.
   • Browser Updates: Chrome, Firefox, Edge, and Safari all update automatically but check settings to be sure.
2. Use a Reputable Antivirus Program: A good antivirus program can detect and remove malware.
   • Real-time scanning: Make sure your antivirus has real-time scanning enabled.
   • Regular scans: Schedule regular full system scans.
3. Be Careful What You Click: Avoid clicking on suspicious links or downloading files from untrusted sources.
   • Hover before you click: Hover your mouse over a link to see the actual URL it points to. If it looks strange, don’t click it.
4. Use a Firewall: A firewall helps block unauthorized access to your computer.
   • Windows Firewall: Windows has a built-in firewall that is usually enabled by default.
   • Third-party firewalls: Several third-party firewalls are available with more advanced features.
5. Consider Browser Extensions for Security: Extensions like uBlock Origin (blocks ads and trackers) and NoScript (blocks JavaScript by default) can add an extra layer of protection.
   • uBlock Origin: https://ublockorigin.com/
   • NoScript: https://noscript.net/ (advanced users only – can break some websites)