With March Madness in full swing and the Sweet Sixteen kicking off, there’s some bad news for basketball fans: most of the Top 10 US sport sites have been found to have vulnerabilities, and are serving active code from risky background sites.
Menlo Security examined them to see whether they were running vulnerable versions of web-software code, leaving sports fans susceptible to phishing attacks and malware. All 10 sites were running vulnerable versions of web-software code at the time of testing; and Microsoft-IIS/8.5 was the most prominent vulnerable version reported with known software vulnerabilities.
Also, 60% (6 websites) of the top sites were found to be serving active code from background sites flagged for phishing and other frauds.
What's not obvious to an end user is that a visit to a website almost always also results in the browser loading active content from many other sources. This is to facilitate tracking from CDNs and ad-networks, mostly. But the problem is that the website owner has little to no control over the security posture of these background sites.
Menlo found that by visiting the sports sites, the browser loaded active code from 152 unique background domains. These sites include Yahoo! Sports, ESPN, BleacherReport, CBS Sports, Sports Illustrated, NBC Sports, SB Nation, Fox Sports, Rant Sports and DeadSpin.
“These sites are the most visited around this time with sports fans checking out their bracket to see if their favorite team is advancing to the next stage,” said Kowsik Guruswamy, CTO of Menlo Security, in a blog. “The real question is, can these sites be a prime target for malware and ransomware?”
Guruswamy took a look at where the code came from, how much of it is there and what systems deliver this content. “Knowing these data points should give us insights into which sites are using a lot of scripting, and those that don't,” he said. “More scripts from more sources equate to a higher risk.”
Unfortunately, the top website (Yahoo! Sports, estimated to have 125 million unique visitors per month, according to Alexa rankings) executed 513 scripts from 55 different background domains.
On average, when visiting a top 10 sports site in US, a browser will execute 245 scripts; all top 10 sports sites executed more than 50 scripts.
“There are many legitimate reasons why developers use scripts to enhance the user experience of a website today, but similarly attackers can use scripting capabilities for iframe redirects and malvertising links to compromise browsers,” Guruswammy said. “The main takeaways show that going to any popular website is now associated with some risk, as we see play out in numerous media stories every week.”
He added, “If you knew an employee going to a top 10 sports website in the US exposes their browser to more than 513 scripts, would it make you think twice?”
The problem is not just confined to sports sites of course—though the basketball tournament offers a great opportunity for watering hole attacks at the moment. Last year, Menlo issued a report that found that more than one in three of the top web domains are risky; and one in five of the most trusted sites are vulnerable. And that’s even more reason for surfers to be cautious.
“We've seen a number of breaches in the recent past where a background site was breached and a visit to one of the ranked sites resulted in a malware drop,” Guruswamy said.
Photo © GongTo/Shutterstock.com