Nearly half of all sites are a security risk
New research suggests that almost half of the top million sites on the internet are insecure, giving you a 50/50 chance of hitting one when browsing.
Nearly half the most popular sites on the internet are highly likely to compromise your security, according to new research, and there are some unexpected twists too.
The headline figure is that 46 per cent of the top million sites (culled from Alexa rankings) are running vulnerable software, are known phishing sites, or have had a security breach in the past twelve months. This is a significant increase from 2015, which found that one in three of the top sites was risky, and one in five of them were running outdated software.
The most popular unpatched software is broken down here, supporting the regular theme that many compromises are due to exploiting known vulnerabilities:
The plot thickens when we look at the breakdown of the type of sites involved - the top two categories are the unhelpful ‘unclassified’ and the entirely unsurprising ‘adult and pornography’ - but the third is ‘business and economy’.
The top three riskiest categories are News & Media, where 50 per cent of sites satisfy at least one of the three criteria, followed by Entertainment & Arts at 49 per cent, and Travel at 43 per cent. The least risky category of the top 10, Computer & Internet Info, still comes in at a massive 37 per cent.
Part of the reason for the poor results year-on-year is the ever-increasing demand for a richer, more interactive online experience, which has led to most popular sites integrating active content from other domains beyond the immediate control of their administrators - background sites. In fact, unintentional, background requests for additional content outnumber intentional requests by actual human users by 25 to one.
“Although this approach does provide the rich interactive experience we expect, it also provides unseen security risks. There is no such thing as a safe website. The web has become a cesspool of sorts”, said the damning report.
Testing a few top sites with High-Tech Bridge’s free web server security test htbridge.com/websec/ as well as phishing test htbridge.com/radar produced interesting results. Several ‘trusted’ media brands got an ‘F’ rating for webserver security, including bbc.co.uk, cnn.com, guardian.com, as you can see in this example:
On the phishing front, although the randomly-selected trusted domain ‘Cnn.com’ has no active phishing sites, there are a host of similar domains registered across the globe. Meanwhile a similar test on ‘Verisign.com’ produced this list of typo-squatted domains, which are clearly not entirely legitimate.
The report is particularly scathing about traditional security solutions’ ability to combat the problem, stating: “They attempt to prevent attacks by distinguishing between “good” and “bad” elements, and then implement policies intended to allow “good” content and block the “bad.” In every case, the detection is never perfect, and thus the policy choice involves a level of risk that the wrong decision is being made. No technology makes the right “good” vs. “bad” decision 100% of the time, and this leads to mistakes that can be very costly.”
So what’s the takeaway here? Maybe take a leaf out of the Singaporean government and ban web browsing altogether? “What is important to understand, is [that] given the current state of the web, villains have their veritable pick of half the web to exploit. And exploitation is becoming more widespread and effective because risky sites have never been easier to exploit, traditional security products fail to provide adequate protection, and phishing attacks can now utilize legitimate sites.”
Ilia Kolochenko, High-Tech Bridge CEO, agreed: "Phishing itself is not very dangerous for corporate users. However, when paired with drive-by-download attacks and sophisticated malware (exploit-pack) phishing can get the attackers inside almost any corporate network.
It's not surprising that phishing is constantly growing, as it does not require any advanced technical skills to launch and can bring easy-money to cybercriminals pretty quickly.
A very dangerous and emerging trend is the combination of phishing and ransomware - many users will not have a choice but to pay a ransom."