There's a moment you might not notice. The page loads. Maybe a second slower than usual, maybe not even that. You get on with your life.

What you don't know — what nobody told you — is that in that single second of normal, something else was happening entirely. Something uninvited.

That's the thing about this particular kind of attack. You don't have to do anything wrong.

The Architecture of Silence

It starts, usually, with a website you trust. Not always a shady corner of the internet — ordinary websites, well-trafficked ones, have been quietly compromised without their owners knowing. The operators who run those sites have no idea. Their visitors have no idea. The attack lives inside the architecture of the page itself, in pieces of code arriving from advertising networks and third-party servers rather than from the site you actually typed in.

Here's how it works. A web page is not a single thing. It's assembled, in real time, from dozens of sources. When you visit a news site, your browser is simultaneously loading text from the news publisher, images from one server, advertisements from three or four others, tracking software from somewhere else, and a map widget from yet another place. Fifty different pieces, fifty different origins. Most of them are harmless. But one — just one — can be enough.

Hidden inside the normal business of loading a page, a small piece of malicious code runs a silent assessment. What browser are you using? What version? Do you have Flash installed? Java? A PDF reader? Which version of Windows? The whole process takes less time than it takes you to read this sentence. This is the triage — the moment the attack decides whether you are worth pursuing. If your software is outdated in the right way, if a particular flaw exists in a particular plugin or browser component, the attack proceeds.

This is called a drive-by download. You drove past. The attack reached in through an open window.

How the Machinery Was Built

Rewind twenty years. The technique existed in theory but was largely manual — clumsy, time-consuming, requiring real skill to execute. You couldn't just buy it. Then, beginning in the mid-2000s, that changed. Criminal developers — patient, technically gifted, motivated by money rather than politics — began building what they called exploit kits. Off-the-shelf malware delivery platforms. Point them at a vulnerable visitor and watch the infection happen automatically.

Early versions were primitive. They exploited a narrow range of vulnerabilities and required significant maintenance. But each generation improved on the last. By 2010, the industry — and by then, industry is the right word — had matured into something genuinely frightening in its efficiency. Exploit kits of this era could test a visitor's browser against dozens of known vulnerabilities in a fraction of a second, identify the right weapon from an armoury of them, and deliver the payload. Infection rates of thirty to forty per cent. Sometimes higher.

Think about what that number means. Of every hundred people who unknowingly visited a page where one of these kits was waiting, thirty to forty walked away with something on their machine they didn't bring.

The kits ran on a rental model. Criminal developers built the tools, kept them updated — incorporating new vulnerabilities faster than software companies patched them out — and rented access to other criminals who wanted to use them. Some kits were updated weekly. Others could incorporate newly discovered flaws within hours of those flaws becoming publicly known. The whole arrangement operated as cleanly and efficiently as a legitimate software-as-a-service business. Support tickets. Dashboards. Uptime guarantees. It was a business, full stop.

The primary target, for most of this era, was Adobe Flash. It was installed on nearly every computer in the world, ran inside the browser with deep system access, and had more documented security flaws than seemed possible for a single piece of software. Eight of the ten most-widely exploited vulnerabilities in 2015 were Flash vulnerabilities. Six of the top ten in 2016, again Flash. Researchers tracked certain Flash flaws showing up in seven different criminal exploit kits simultaneously. Some zero-day Flash vulnerabilities — meaning flaws unknown even to Adobe themselves — were incorporated into criminal tools before Adobe knew they existed.

Java had its era too. Internet Explorer had its era. Each time one attack surface was reduced, the kits adapted to another.

The Advertising Problem

The delivery method that made all of this possible at scale was advertising. The internet runs on advertising, and advertising runs on vast automated networks that funnel ads from buyers to websites without human review of every transaction. Criminals discovered they could buy advertising — posing as legitimate businesses — and have their malicious code served to millions of people across thousands of websites simultaneously. Well-known sites. Sites that people visited without any hesitation. The websites themselves were not compromised; they were unknowingly carrying the payload in their ad slots. There was no way for ordinary people to know.

The scale is difficult to fully absorb. Three million people per day, exposed from a single advertising campaign. For thirty days at a stretch. That is not a targeted attack. That is an epidemic.

Criminals also used a subtler approach: the watering hole. Find a website your specific targets are likely to visit — an industry forum, a government resource page, a site relevant to a particular profession. Compromise that site quietly. Leave the trap there and wait. The people you want will come to you. It requires patience, but patience is cheap.

Both methods share the same core characteristic: the person being attacked did nothing to invite it. They went to a website. That's it.

The Collapse — And What Replaced It

The peak years ran roughly from 2010 through to 2016, and then the ground shifted. Adobe Flash, after years of being the primary vehicle for these attacks, was finally discontinued. Browser developers built sandboxes — isolated environments where web content runs without being able to reach the rest of the system — that made the old techniques dramatically harder to pull off. Automatic updates became standard across most operating systems and browsers.

The traditional exploit kit market collapsed. Estimates based on security industry tracking suggest that this category of attack dropped by more than ninety per cent over roughly three years. The handful of surviving operations shifted to targeting a shrinking pool of extremely outdated systems.

But the technique didn't die. It adapted.

The version that exists today is more social than technical. Instead of silently exploiting a browser vulnerability, attackers now compromise legitimate websites and inject code that pops up a notification telling you your browser needs an update. The notification looks right — correct fonts, correct styling, matching logos from the real browser manufacturer. The download it offers looks like a real browser installer. It isn't. Hundreds of thousands of legitimate websites have been compromised this way, carrying this fake-update trap for months or years without their owners' knowledge. Research published in 2025 identified more than a thousand compromised websites simultaneously funnelling visitors through a single malicious redirect system.

This hybrid approach — using technical website compromise to deliver social manipulation — has proven remarkably durable. In a 2025 analysis covering data from four million monitored computer endpoints, this method ranked as the most commonly detected threat category of the year.

The High End

And then there is the tier above all of this.

State-sponsored intelligence organisations and well-funded criminal groups operating at the margins of government tolerance have never stopped developing browser exploits. They've simply stopped doing it cheaply. Modern exploit chains targeting current mobile browsers — primarily the engines running on iPhones — require chaining together multiple previously unknown vulnerabilities, each one of which might cost hundreds of thousands of dollars to acquire on the private market. Researchers documented one such toolkit in 2025 that used twenty-three separate vulnerabilities strung together across five distinct attack chains. You visit a website. You don't click anything. You leave with a device that someone else can now partially operate.

At this level the attack is functionally invisible. There is nothing to avoid because there is nothing to see. The vulnerability is in the software itself. The only defence is the manufacturer patching it before the attackers deploy it — and the attackers are, not infrequently, faster.

Google's threat research division tracked seventy-five zero-day vulnerabilities actively exploited in 2024, and ninety in 2025. A meaningful portion of these were browser-based. Some were mobile-specific.

What the Damage Looked Like

The financial toll from the decade when drive-by downloads were at their peak is staggering when you try to add it up. Ransomware delivered via these methods generated — in documented figures from a single six-month dataset — revenue exceeding thirty million dollars annually for one criminal operation. Scale that across the broader market and the number climbs past sixty million for that market alone, in a single year. One ransomware family, tracked across an eighteen-month window, had documented victim payments exceeding eighteen million dollars. These figures come from law enforcement assessments and security firm telemetry, not industry guesses. They are floors, not ceilings. They represent only what was confirmed and traceable.

Banking malware delivered through drive-by methods stole more than a hundred million dollars in documented cases before coordinated law enforcement disruptions broke up the responsible networks. One botnet operation, before being shut down, had infected hundreds of thousands of machines and was sending thirty-five million spam messages daily while simultaneously redirecting five hundred thousand web visitors per day to exploit pages.

The broader damage — systems encrypted and lost, businesses shut down permanently, victims who paid quietly and said nothing — will never be fully tallied.

Whether It Can Still Happen

The short answer is yes.

The longer answer involves a distinction between types of risk. If you're using a current browser, on a current operating system, with automatic updates enabled, and you're not clicking on fake update prompts that appear inside web pages — your risk from the traditional, mass-market version of this attack is genuinely low. The attack surface that the old kits relied on has been dramatically reduced. Flash is gone. Java in browsers is gone. Internet Explorer is gone. The remaining active exploit kits are primarily targeting a specific population: people still running legacy software, often in corporate or industrial environments where updates are slow and carefully staged for operational reasons.

Those people are still very much at risk. One exploit kit tracked through 2022 was still running two thousand attacks per day across more than two hundred countries, with a thirty per cent success rate. Against unpatched systems running a browser discontinued in 2022, that kit was achieving infection rates approaching fifty per cent.

For everyone else, the risk has shifted to the social engineering variant. The fake browser update. The malicious ad that looks genuine. These require you to click something, which is different from the old silent drive-by — but they are designed by people who have spent years studying exactly what makes ordinary people click things without thinking.

And then there's the tier above that. If you are the kind of person that nation-state surveillance operations target, keeping your software updated is necessary but not sufficient. At that level, the attackers are frequently faster than the patches.

What You Can Actually Do

Most readers are not targets of nation-state exploit chains. That is not false comfort — it is statistics. But most readers absolutely can become casualties of the mass-market version of this attack, particularly through the fake-update social engineering variant.

Keep your browser updated. This is not optional, and it is not bureaucratic caution. Browser developers patch vulnerabilities within hours or days of discovering them. Running an outdated browser is functionally the same as leaving a window open in a neighbourhood you know has break-ins.

Use an ad blocker. Law enforcement agencies have publicly recommended this. Malicious ads served through legitimate advertising networks are a primary delivery vector for this category of attack. An ad blocker that never loads the ad cannot be attacked through it.

Never download a browser or system update from a pop-up prompt inside a web page. Legitimate browser updates come through the browser's own update mechanism, not from websites telling you your browser is out of date. That prompt is almost certainly a trap. Close the tab.

On a phone — particularly an iPhone — update when updates are available, and update promptly. The exploit chains documented in 2025 were targeting iOS versions released less than a year prior. The gap between a vulnerability being discovered and being patched is the window during which you are exposed. A smaller gap means smaller risk.

For organisations managing large numbers of computers: the most effective enterprise control against browser-based attacks is a technology called remote browser isolation — all browsing happens in a remote cloud environment, and only a visual image of the result is delivered to the user's device. Malicious code that loads in that environment is destroyed when the session ends. It never reaches the actual machine.

This Isn't Over

The drive-by download had its golden age, and that age is gone. The mass-market, automated, exploit-kit version of this attack has been genuinely degraded by a decade of better software engineering and harder-to-exploit browser architecture. That progress is real. It matters. It has probably prevented millions of infections.

But the underlying idea — that visiting a website can be enough, that your activity online is not and has never been fully safe — that idea is not gone at all. It evolved. It professionalized. It operates now at two distinct levels that almost never intersect: a mass-market social-engineering variant that still needs one click, and a surgical zero-day variant that needs nothing from you at all.

The open window is smaller now.

But it is still a window.

And some people still leave them open.