The Web is a more dangerous place than most people may think. With more than one billion websites now living on the lnternet and over 100,000 websites created daily, the risk from vulnerable sites is multiplying. In fact, one-third of the most-trafficked websites are risky, new research has revealed.
Menlo Security found in its State of the Web 2015 vulnerability report that more than one in three of the top domains are risky—meaning the sites are either already compromised or running vulnerable software—increasing exposure to attack for anyone visiting them.
The firm performed a direct interrogation and analysis of the Alexa top one million sites (and more than 1.75 million URLs representing over 750,000 unique domains), and discovered a raft of common issues. More than one in 20 sites (6%) were identified by third-party domain classification services as serving malware, spam or botnets. And more than one in five (21%) sites were running software with known vulnerabilities.
"Respected and trusted websites like Forbes.com and jamieoliver.com have been used to deliver zero-day malware to unsuspecting visitors," said Kowsik Guruswamy, CTO of Menlo Security. “These kinds of attacks are happening with increasing frequency because so many sites are running vulnerable software but are routinely classified as 'safe.’ The current generation of security tools is falling behind in the race to stop attacks. Today's security challenges call for an entirely new approach to preventing malware from infecting users' systems."
Also, sites in categories that are typically “trusted”—including computers and technology, business and shopping—were the top three sources of vulnerable sites.
Of the 2.5% of sites that were uncategorized, a significant proportion (16%) was running vulnerable software.
“Organizations expect their security teams to keep their data and systems safe while also providing employees with access to the web,” the company said. “A major factor compounding the security practitioner’s challenge is the fact that other companies’ websites, which they don’t control, constitute a major source of threats.”