Attack of the Killer Widgets?

Widgets are cool tools embedded in sites for fun, content or tracking by millions of legitimate websites. That's why attackers are infecting popular widgets with malware. Last week, at Black Hat DC security conference, Neil Daswani told how widgets could be used for evil intent and infection.

Daswani is the CTO and co-founder security firm Dasient which has warned of widget-based malware in the past, such as at Black Hat USA 2010. At Black Hat DC, Daswani presented Malware Distribution via Widgetization of the Web [PDF]. His research showed that every 1.3 seconds, a new site gets infected by malware. Web-based malware and scareware via widgets can be passed on to users either by "drive-by-downloads" in which the user doesn't do anything more than visit an infected site, "social engineering malware" in which a user is convinced to click a link/button, or by "dangerous download" like when cyberthugs used scareware "malicious site" warnings to convince unsuspecting surfers to download rogue anti-virus.

Widgets come in many forms and can be built on third-party APIs like Facebook or Google. Daswani believes that "100% of widgets are at risk from being infected with malware," reported eSecurity Planet. But he said the more popular the widget, the more attractive for an attacker to infect it. Some sites may only use one or a few widgets, while other sites may use dozens. Dark Reading reported that Daswani told Black Hat DC attendees, "A site such as the New York Times may use as many as 80 or 100 at a time."

A website may be clean, but enter the dreaded Third Party that can be dependable one minute and attacked and infected in the next. Websites might become infected via third-party widgets, third party malicious advertisements known as malvertising, or third party software applications. Some of the most popular widgets are used for audience measurement like Google Analytics, Quantcast, or Doubleclick for advertising. According to InternetNews, Daswani said, "Ad widgets when compromised, can be used to spread mass malware infections across the most highly trafficked websites on the Internet."

Dasient conducted passive malware risk assessments of Fortune 500 websites and discovered that 75% of those sites used some third-party JavaScript widgets. Some were used for analytics, sharing or mashing-up content, or embedded videos. 42% used third-party ad-related resources. A whopping 91% of websites studied has some outdated software that was being used as a third party application to power the sites.

Last year, about five million sites hosted by Network Solutions dished out malware for months via the embedded "Small Business Success Index" widget. There were mass infections and malware injections at Media Temple, TechCrunch Europe was hacked to spread malware and the list goes on and on. The impact of a website passing malware can include being partially or fully blacklisted by search engines -- meaning loss of traffic and revenue, users badmouthing your brand via social media which quickly can earn an otherwise good website a bad reputation with customers, and even liability issues like data theft.

Website owners need to constantly monitor for malware and anti-malvertising. Daswani said, "If any of these third-party servers are either compromised or even just host a few malicious resources, the widgets can be used as an intermediary channel to deliver malware to users viewing the pages," eSecurity Planet reported. "End-users can protect themselves by making sure they use a good browser with solid anti-malware protections, such as Google's Chrome," Daswani advised.

Subscribe to the Security Watch Newsletter

Comments