Late last week, researchers at Santa Clara, Calif.-based security firm Armorize, said anywhere from 500,000 to five million parked domains at Network Solutions had been serving malware to visitors due to an infected widget embedded into the pages. However, based on its preliminary analysis of the attack, Network Solutions determined that less than 120,000 parked domains were affected, the web hosting provider said in a blog post Tuesday.
All those affected were parked or “under construction” domains, which are sites that have been registered, but do not contain any content.
“No active Network Solutions customer websites were impacted,” the statement from Network Solutions said. “Additionally, there was also no compromise on our platform.”
Moreover, it is likely that only a limited number of internet users were impacted by the malware since the “overwhelming majority” of parked domains do not get any traffic on a daily basis, according to researchers at Dasient, a website malware protection provider.
“Malware injected onto parked domains is unlikely to have the scale and reach of attacks against legitimate websites, such as the Gumblar attack or attacks against widgets used by legitimate websites,” Dasient researchers wrote in a blog post Tuesday.
Still, Wayne Huang, co-founder and CTO of Armorize, told SCMagazineUS.com in an email Wednesday that the attack was a serious issue.
“The widget directed the visitors' browsers to automatically download malicious JavaScript exploits from a malicious website,” Huang said.
Web widgets – which can take the form of banners, search boxes, traffic counters, games, videos, RSS feeds or user polls – represent a serious security risk to websites and their users, according to Jeremiah Grossman, founder and chief technology officer of web application security firm WhiteHat Security.
Websites that use third-party JavaScript web widgets are essentially giving the third party total access to the site, Grossman wrote in a blog post last month. Besides redirecting visitors to malicious websites, web widgets could potentially access or hijack users' accounts, introduce cross-site scripting vulnerabilities, modify the destination of links and form submissions, steal passwords, deface a webpage or force visitors' web browsers to attack other computers.
“Whenever possible, no website should include third-party widgets from locations that they do not trust or are not trustworthy,” Grossman wrote. “Furthermore, websites that require a high level of security assurance should not be using web widgets at all, unless they are prepared to treat the third party as a trusted entity with at least the same level of due care.”
The infected Network Solutions widget, called Small Business Success Index, was intended to provide small business tips about sites that were under construction. It was available on Network Solutions' small business blog, GrowSmartBusiness.com, or could have been installed via a script offered by Widgetbox, a widget syndication site. Network Solutions' security team removed the widget link over the weekend from both the GrowSmartBusiness.com blog and the impacted pages.
“I think what's important here is that [Network Solutions] reacted very quickly,” Armorize's Huang said.
Meanwhile, web hosting companies have been heavily targeted since the beginning of the year, Huang said. Once compromised, hosting companies are used as a means to spread massive amounts of malware.
“Throughout this year, the shared web hosting industry has been facing increasing attacks from perpetrators of malware,” Network Solutions said in its blog post on Tuesday. “We are continually working to defend against these and similar types of attacks.”