Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:32 PM
Connect Directly

Mass Drive-By Attack Used Web Widget

Attackers took a different spin on mass infection, and targeted hosting provider Network Solutions Inc.

A widespread Web attack discovered over the weekend that targeted Network Solutions Inc. customers' parked or "under construction" Web domains used a drive-by download attack more stubborn than the popular and more common mass SQL injection attacks.

The attack, which began with an infected widget on NSI's growsmartbusiness.com website for small businesses, led to a mass infection of NSI customers' reserved domains, according to researchers at Armorize who spotted the attack.

NSI has since cleaned up its growsmartbusiness.com site and alerted its domain customers to remove the compromised widget -- which offered tips for small businesses. Just how many NSI customers' domains remain infected is unclear: Researchers at Armorize, which first reported the attack over the weekend, say it infected at the least 500,000 domains, or possibly millions, according to a Yahoo search the researchers conducted.

Network Solutions, however, disputes those numbers. "We have removed the widget from those pages and continue to check and monitor to ensure security. The number of impacted pages that have reported publicly over the weekend are not accurate. We're still investigating the number of web pages affected," NSI posted on its website yesterday. "If you have downloaded the GrowSmartBusiness widget to your website, we recommend you delete that widget and scan your site for malware."

[UPDATE: NSI now says its preliminary analysis shows that less than 120,000 parked Web pages were hit. "No active Network Solutions customer websites were impacted. Additionally, there was also no compromise on our platform," NSI says in a new blog post.]

While the number of infected domains remains up for debate, the method used by the attackers to hit multiple domains was striking. Wayne Huang, co-founder and CTO at Armorize, says the attack method is a new breed of mass infection, or drive-by, attack. "I'm sure we're going to see more of it," he says.

But Neil Daswani, CTO and co-founder of Dasient, says he doesn't consider the attack waged on the NSI domains more sustainable or reliable. "It is very easy to mitigate and may not have as much of a significant impact -- it will only impact users that end up at a parked domain, usually by mistake or mistyping a legitimate domain name," says Daswani, whose firm recently conducted research on the use of widgets.

Dasient analyzed 5,000 websites and found that 75 percent of enterprises use third-party JavaScript widgets -- mostly travel, entertainment, and leisure websites running these apps, followed by publishing firms, high-tech companies, and financial institutions.

"Mass SQL injection against highly used and popular web applications could be more likely to help cybercriminals achieve a more significant malware distribution footprint," Daswani says.

Daswani also says widgets make an attractive attack target because one widget can be used by thousands of sites. "So even if widgets are not extremely vulnerable, an attacker that analyzes the cost/benefit trade-off may see that it is worthwhile to attack even a well-guarded widget because of the benefit they receive in terms of the number of sites they can turn into malware distribution vehicles," he says.

Meanwhile, Armorize's Huang maintains that what sets this attack apart from the more commonly used mass SQL injection is that it's not a one-time infection. "A mass SQL injection is a one-time thing," Huang says. "This one has multiple backdoors all over the system ... the attacker can remove it and you don't know where the backdoor is unless you do a full IR [incident response] process ... It's very hard to clean up your system."

And the attackers went after a domain hosting provider to reach more sites more quickly. "This is a new type of mass infection -- infecting hosting companies," he says. "We saw a lot of Web hosting instances at the beginning of this year. When you compromise a hosting company, you can insert malware into a lot of sites all at once."

Users get infected merely by visiting a site with the infected widget. So far the researchers have seen the attack exploiting vulnerabilities in Internet Explorer. "They visit a page and end up with malware. There's absolutely no click and no user awareness of anything. They visit the page, the [exploit] attacks a vulnerability inside the browser and takes control of the browser," he says.

Then the attacker writes malicious code to the disk and executes it, he says. The researchers found evidence of fully compromised websites by the attack with a Web "shell," basically a control panel the attackers install once they've fully compromised the site.

"This allows you to do anything you'd like to do, insert any content," he says.

Huang and his team also discovered a second piece of malware on NSI's page: a fake instant messaging window that mimics that of an actual Chinese IM service, targeting users with IP addresses in Taiwan and Hong Kong, although a handful or so of U.S. and Chinese visitors also were hit, he says.

The attackers behind the drive-by attack on NSI's domains appear to be out of Asia. The attack ultimately sends users to phishing sites, Huang says. Armorize actually first saw the attack in May, when researchers found it on the Boingboing.com parked domain. "We didn't realize then that the entire NSI parked domain was infected," Huang says.

Armorize's blog posts and demonstrations of the attacks are here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
PUBLISHED: 2020-09-24
PrestaShop from version and before version is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in
PUBLISHED: 2020-09-24
In PrestaShop from version and before version, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...