(WEB HOST INDUSTRY REVIEW) — According to a Tech Herald report appearing over the weekend, an attack on a widget offered by hosting company Network Solutions to customers of its hosting and domain parking services led to the distribution of malware by sites displaying the widget, through the compromise of Network Solutions’ own growsmallbusiness.com site, which distributed the widget.
An update to the report posted Sunday says the compromise has since been patched by Network Solutions, at least temporarily, by commenting out the code to prevent it from loading.
The article is based in part on a pair of reports from security firm Armorize, which produces the HackAlert software, (the two reports are here and here).
In the first of the posts, Armorize goes through the process of installing the Small Business Success Index widget on a site it created on Google’s Blogger service, ultimately identifying the widget as having been compromised.
“We verified that the domain growsmallbusiness.com was definitely compromised and injected with a r57shell (webshell), which allowed the attacker easy manipulation of the site,” says the post.
The IFRAME attack inserts a bit of JavaScript into the widget, that ultimately attempts to install malware on the end-user machine.
The Armorize post also points out that the growsmallbusiness.com site has quick-install buttons for easily placing the compromised widget on such services as Facebook, LinkedIn, Twitter and WordPress, along with Blogger.
The extremely detailed second blog post by Armorize (including many screenshots, and a video) shows that the widget could have infected as many as 5 million sites, and demonstrates that a domain registered with Network Solutions (they registered armorizetest.com) immediately began serving the malware from the widget placed on the parked page.
In a comment posted on the TechHerald story, a representative from Network Solutions writes “we have taken the information provided by Wayne Hyang [of Armorize] in his post to investigate and take any necessary precautionary measures . The Google search result may not be an accurate indication and our initial steps may have mitigated the issue already. I have spoken to Wayne and we will continue to work with the community.”
The exploiting of widgets and other scripts at hosting providers has become one of the primary methods through which hackers distribute malware, as illustrated by the widespread WordPress configuration compromise that hit several hosting companies earlier this year. Network Solutions was one of the companies hit hard in that case.
As mentioned in the TechHerald story, the situation with the Small Business Success Index widget, though temporarily patched, may not yet be completely resolved. More information on the situation is likely forthcoming.
About Liam Eagle
Liam Eagle has worked as a contributor to the Web Host Industry Review since its inception in 2000, and as editor since 2003. He has been editor of the WHIR's print magazine since its launch. His daily involvement in the gathering and reporting of Web hosting news and his regular interaction with Web hosting leaders gives him an uncommonly broad appreciation of the issues and tends facing the business. Through his WHIR blog, Liam spots Web hosting trends and offers opinions on the industry-wide impacts of major developments and the motivation behind big announcements. Follow him on Twitter @liameagle
No related posts.
