42% of the top 100,000 sites on the web, as ranked by Alexa, are either using software that leaves them vulnerable to attack or have already been compromised in some way according to a study by Menlo Security which shows that many of the supposedly safest neighbourhoods of the web are in fact risky places to visit.
The State of the Web Report also noted that one rarely discussed problem is that the average website connects to 25 background sites for content, such as video clips and online ads. Most enterprise security administrators don’t have tools in place to monitor these connections, leaving them vulnerable to backdoor attacks. Efforts to sort sites into ‘good’ and ‘bad’ categories are largely ineffectual. The ‘Business and Economy’ category, for example, had more ‘known bad’ sites that had been used to launch attacks or distribute malicious code than ‘Gambling.’ And, email hackers are using trusted hosting services to set up phishing sites, giving them safe-looking URLs. The results underscore Menlo’s belief that in a world where no detection-based security technology is foolproof, it’s time for a new approach.
“This report confirms what most CISO’s already know: that a false sense of security is a dangerous thing when using the web,” says Amir Ben-Efraim, CEO of Menlo Security. “Despite website operators’ best efforts, cyber criminals can now exploit widespread vulnerabilities to compromise even the most trusted brands on the web.”
The report highlights the futility of using categorisation services provided by many security vendors as a proxy for safety. For example, 49% of ‘News and Media’ sites met Menlo’s criteria as ‘risky,’ as 39% of ‘Business and Economy’ sites and 38% of ‘Shopping’ sites. Phishing and typosquatting also regularly occurs on sites in widely-trusted categories.