Almost half of top websites present a risk to visitors, says report

Menlo Security report finds 46 per cent of top sites run outdated software, host malware or have been attacked

A study of the most popular sites on the web by security vendor Menlo Security has found that 46 per cent have vulnerabilities such as outdated software, known weakness to phishing attacks, or history of compromise in the last 12 months.

Menlo's research report covers the top one million sites on the Alexa web analytics website. Using a distributed Chrome-based browser farm to load the homepage of each site and activate any code present in the page, the researchers found that one in five run outdated software with known vulnerabilities. This information was combined with threat intelligence feeds to identify sites categorised as "known bad", i.e. used for phishing and hosting malware, and those that have been attacked within the last 12 months.

The largest category was vulnerable software. Menlo security found that more than 69,000 of the top million Alexa sites were running nginix 1.8.0 from 2015 on the home page which can allow a criminal to run a denial of service attack. Next up was Microsoft IIS 7.5, dating back to 2009, which has a whole plethora of vulnerabilities that could allow an attacker to execute code, launch a denial of service attack, exfiltrate data and corrupt memory.

Out-of-date versions of PHP and Apache web server made up most of the rest of the vulnerabilities.

The "known bad" category contains sites known to host malware or phishing exploits. Interestingly, this category was not completely dominated by gambling and porn sites, as might be expected, but many business, news and travel sites were also included, with the largest band comprising "uncategorised" websites, i.e.sites that fall outside the attention of the URL categorisation services. For businesses seeking to whitelist safe websites this creates a problem, notes the report. Administrators are likely to be inundated by requests from these uncategorised sites asking for a re-categorisation so that they are not blocked.

The smallest category of vulnerable sites contains those with a known threat history in the last 12 months. Of these business sites and personal blogs are among the most numerous, indicating once again that avoiding types of websites that one might expect to be risky is no solution.

However, while almost half of the top sites are vulnerable, that doesn't mean that a visitor is inevitably going to be infected. What it does mean is that there are currently far more vulnerable sites then there are criminals able to exploit them. In addition, criminals tend to change their targets frequently in order to avoid detection. That said there is no cause for complacency, says the report.

"What is important to understand, however, is given the current state of the web, villains have their veritable pick of half the web to exploit," it notes.

"Exploitation is becoming more widespread and effective for three reasons: 1) risky sites have never been easier to exploit; 2) traditional security products fail to provide
adequate protection; 3) phishing attacks can now utilise legitimate sites.

The report recommends that IT administrators implement new security techniques such as isolation and remote browsing and that website owners should ensure they are running the latest version of software and use only trusted local resource files.

For end users it concludes with the well-known but often ignored advice to disable Flash, look closely at the URL for clicking a link and being wary of PDFs and Word attachments and apps and extensions from unknown sources.