Nearly half of all websites pose security risks
14 December 2016 | 0
According to a new study of the top one million domains, 46% are running vulnerable software, are known phishing sites, or have had a security breach in the past 12 months.
The big problem is that even when a web site is managed by a careful company, it will often load content from other sites, said Kowsik Guruswamy, CTO, Menlo Security, which sponsored the report.
For example, news sites, 50% of which were risky, typically run ads from third-party advertising networks – but it is not just ads.
“The Economist, for example, has a plug-in that does a pop-up if you are using an ad blocker,” said Guruswamy. “And that pop-up had malware in it. I bet The Economist had no idea that their website was hacked.”
In fact, unintentional, background requests for additional content outnumber intentional requests by actual human users by 25 to one, according to the report.
So an enterprise that blocks its users from accessing domains by category, or only allows certain approved categories of domains, would not pick up on the problem because the The Economist is a reputable, useful news site.
“And a lot of enterprises are using security products based on the category of content being delivered,” Guruswamy added. “You get the link and you click on it, and it’s a phishing page, but the security policy allows it because it’s a news site.”
The malicious site can then deliver a drive-by malware download, or it can serve up a spoofed banking page and harvest account credentials, he said.
News and media sites were most likely to be risky, at 50%, followed by entertainment sites at 49%, and travel sites at 42%.
The largest source of risk was vulnerable software. About 36% of all websites were either running vulnerable software, or getting content from other locations running vulnerable software.
“What we designed is a passive scan of the page that would identify the type of software the site was running, and not just the main site, but all the sites the page is loading,” said Guruswamy. “And then we’d look up the software version in the national vulnerability database and check for known vulnerabilities.”
The next biggest risk factor was if a website was known to be malicious, or pulled content from a malicious domain. About 17% of the top million Alexa websites fell into this category.
Business and economy
For example, the single largest category of known bad sites was pornography, with nearly 38,000 websites known to deliver phishing or other attacks. But pornography ranked far down the list when it comes to vulnerable software – the business and economy category actually had the most sites with known vulnerabilities, at more than 82,000, followed by society, personal sites and blogs, shopping, news and media.
Finally, 3% of sites had experienced a recent security incident.
Guruswamy suggested that enterprises look beyond simple website categorisation strategies to protect their users from phishing attacks since the bad guys have, in effect, half the Internet at their disposal.
Enterprises that host websites should also step up and do more to protect their visitors, including making sure that all their software is up to date, and the sites that they embed content from also are current.
For example, nearly 70,000 of the top million websites run the vulnerable nginx 1.8.0 server software. The next most dangerous software is Microsoft’s IIX 7.6 web server, which dates back to 2009. 2010’s PHP 5.3.29 is in third place, with nearly 32,000 web sites.
IDG News Service