Report: Four in 10 Top Websites Are Dangerous

• By Dian Schaffhauser
• 02/21/18

Four in 10 of the top websites pose dangers to visitors. According to cybersecurity vendor Menlo Security, out of the top 100,000 websites as ranked by Alexa, 42 percent are "risky." A risky website is any site that fits one of these criteria:

• Either the homepage or an associated background site is running vulnerable software;
• It's known to distribute malware or launch attacks; or
• It has already suffered a security breach in the past 12 months.

The use of background services is especially troubling, according to Menlo, which published its findings in a "State of the Web 2017" report.

While the security industry puts a lot of attention on the behavior of website visitors, the report noted, "much of the damage wrought by cybercriminals happens behind the scenes, as websites connect with so-called 'background sites.'" Menlo's researchers found that websites rely on an average of 25 other background sites to produce content, such as displaying a video from a media server or serving an ad from an advertising network. Many antivirus and web-filtering programs focus on the primary domain while ignoring the calls to those background sites, the report stated.

Although the report didn't list problematic websites, it did categorize them by type of content. For example, 49 percent of news and media sites "satisfied" at least one of three criteria of riskiness, as did 45 percent of entertainment and arts sites and 40 percent of personal sites and blogs.

While the adult and pornography category had the highest number of risky sites, business and economy sites led the way in the "trusted" category.

Another source of problems is the reliance on "aging software technology," programs that have been around long enough to be "repeatedly compromised" through the years, Menlo researchers asserted. For example, 32,000 sites that were part of the study used Microsoft IIS 7.5, a version released with Windows 7 and Windows Server 2008 R2. Here, business and economy sites led the way, with 51,045 websites relying on software classified as "vulnerable." Also, 9,452 websites for educational institutions made the list of vulnerable sites.

The Menlo report highlighted the problem of websites being identified as unsafe by web security firms, only to transition to a trusted category temporarily and then back again. One unnamed security company, for example, assigned a website to a "Phishing and Other Frauds" category and then briefly reassigned it to a "benign-sounding" category for a couple of days, before yanking it back to the untrusted side.

Menlo advised website owners to run the latest software for their websites and to try programs such as "content-security-policy," to minimize access to malware through background sites. It also encouraged users to "download software updates religiously," stay away from Adobe Flash and use the Chrome browser "when possible." A final bit of advice was to use isolation techniques for web surfing, such as moving the execution of web content to the cloud, preventing malicious code from reaching the user's device.

The report is available on the Menlo Security site (registration required).