In light of COVID-19 precaution measures, we remind that all ImmuniWeb products can be easily configured and safely paid online without any human contact or paperwork.

Total Tests:
Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

Nearly half of all sites are a security risk

Thursday, December 15, 2016 By Read Time: 2 min.

New research suggests that almost half of the top million sites on the internet are insecure, giving you a 50/50 chance of hitting one when browsing.


Nearly half the most popular sites on the internet are highly likely to compromise your security, according to new research, and there are some unexpected twists too.

Nearly half of all sites are a security risk

The headline figure is that 46 per cent of the top million sites (culled from Alexa rankings) are running vulnerable software, are known phishing sites, or have had a security breach in the past twelve months. This is a significant increase from 2015, which found that one in three of the top sites was risky, and one in five of them were running outdated software.

The most popular unpatched software is broken down here, supporting the regular theme that many compromises are due to exploiting known vulnerabilities:

Nearly half of all sites are a security risk

The plot thickens when we look at the breakdown of the type of sites involved - the top two categories are the unhelpful ‘unclassified’ and the entirely unsurprising ‘adult and pornography’ - but the third is ‘business and economy’.

Nearly half of all sites are a security risk

The top three riskiest categories are News & Media, where 50 per cent of sites satisfy at least one of the three criteria, followed by Entertainment & Arts at 49 per cent, and Travel at 43 per cent. The least risky category of the top 10, Computer & Internet Info, still comes in at a massive 37 per cent.

Part of the reason for the poor results year-on-year is the ever-increasing demand for a richer, more interactive online experience, which has led to most popular sites integrating active content from other domains beyond the immediate control of their administrators - background sites. In fact, unintentional, background requests for additional content outnumber intentional requests by actual human users by 25 to one.

Although this approach does provide the rich interactive experience we expect, it also provides unseen security risks. There is no such thing as a safe website. The web has become a cesspool of sorts”, said the damning report.

Testing a few top sites with High-Tech Bridge’s free web server security test htbridge.com/websec/ as well as phishing test htbridge.com/radar produced interesting results. Several ‘trusted’ media brands got an ‘F’ rating for webserver security, including bbc.co.uk, cnn.com, guardian.com, as you can see in this example:

Nearly half of all sites are a security risk

On the phishing front, although the randomly-selected trusted domain ‘Cnn.com’ has no active phishing sites, there are a host of similar domains registered across the globe. Meanwhile a similar test on ‘Verisign.com’ produced this list of typo-squatted domains, which are clearly not entirely legitimate.

Nearly half of all sites are a security risk

The report is particularly scathing about traditional security solutions’ ability to combat the problem, stating: “They attempt to prevent attacks by distinguishing between “good” and “bad” elements, and then implement policies intended to allow “good” content and block the “bad.” In every case, the detection is never perfect, and thus the policy choice involves a level of risk that the wrong decision is being made. No technology makes the right “good” vs. “bad” decision 100% of the time, and this leads to mistakes that can be very costly.

So what’s the takeaway here? Maybe take a leaf out of the Singaporean government and ban web browsing altogether? “What is important to understand, is [that] given the current state of the web, villains have their veritable pick of half the web to exploit. And exploitation is becoming more widespread and effective because risky sites have never been easier to exploit, traditional security products fail to provide adequate protection, and phishing attacks can now utilize legitimate sites.

Ilia Kolochenko, High-Tech Bridge CEO, agreed: "Phishing itself is not very dangerous for corporate users. However, when paired with drive-by-download attacks and sophisticated malware (exploit-pack) phishing can get the attackers inside almost any corporate network.

It's not surprising that phishing is constantly growing, as it does not require any advanced technical skills to launch and can bring easy-money to cybercriminals pretty quickly.

A very dangerous and emerging trend is the combination of phishing and ransomware - many users will not have a choice but to pay a ransom."


Mark Mayne has covered the security industry for more than 15 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.

User Comments
Add Comment

Ask a Question