ThreatList: Almost Half of the World’s Top Websites Deemed ‘Risky’

Nearly half of the world’s most popular websites are risky places to visit, according to a fresh analysis of top Alexa sites. Vulnerable code, the running of active content from risky background sites, and large amounts of code downloads marked a good chunk of the top 50 websites used in all of the countries examined.

According to Menlo Security’s annual State of the Web report released Thursday, on a broader level, a full 42 percent of the Alexa Top 100,000 sites globally were deemed “risky,” because they either used unpatched server software known to be vulnerable; or, the site had served malware/launched attacks, or suffered a security breach in the past year.

In looking specifically at the top 50 Alexa sites for Australia, France, Japan, Singapore, the United Kingdom and United States, the report analyzed how those sites operated, finding a number of disturbing behaviors.

For instance, the findings revealed that whenever a user visits a website, that site calls an average of 25 background sites to fetch various types of content, such as the latest viral video from a content delivery network (CDN) server or ads from an ad-delivery network.

“So, today more than ever, when a user clicks on a web link to open a website, they are really opening not just a single website, but at least 25 websites at one time,” the report explained. “If any of these background sites are themselves risky, they could be used by cyberattackers to compromise the site being visited.”

The report also found that the percentage of Alexa top 50 sites that were distributing active content from risky background sites ranged from nearly 50 percent in France to less than 20 percent in Australia.

Active content is software that web developers use to make websites dynamic and personalized. By using JavaScript and Flash, active content allows stock tickers to continuously update, for example, and animated images, streaming video and audio, maps, and even drop-down boxes to function.

“Unfortunately, active content also deprives website operators of control when it comes to securing their sites,” Menlo Security explained. “Cyberattackers often use active content delivered from background sites to surreptitiously deliver malware, ransomware and other malicious payloads.”

It added, “All it takes is for one user to visit a popular website and click on one source of contaminated active content, and your organization is infected—and susceptible to a wide range of possible cyberattacks or data breaches.”

The report also found that many of the world’s most popular websites run on back-end web servers that are outdated, including some that have not been updated for years or even decades. This leaves those websites extremely vulnerable to web-borne malware, exposing site visitors to possible infections, incursions or breaches.

And indeed, according to Menlo Security’s analysis of data collected from its customers around the world, 7.6 percent of web domains that were found to be delivering malware or providing safe haven for phishing operations were hosted on vulnerable servers, such as running outdated versions of Apache, nginx, Microsoft IIS, Drupal and more.

“Note that Microsoft IIS version 7.5, which is prominently run on 12 percent of the most popular websites in Singapore and is also the oldest vulnerable back-end software run on websites in Australia, was released in 2009, almost a decade ago,” the report said. “And, the oldest back-end web server software being operated on a top 50 website in the U.S.—PHP version 5.2.3—was released in 2007, more than a decade ago.”

The analysis also took a look at how websites download code: The more active code a site downloads, the greater the risk.

Australia and the United States are the biggest offenders, with 64 percent and 60 percent of websites, respectively, downloading and executing more than 1MB of code on a user’s on-device web browser. Even in Japan, whose websites downloaded the least amount, a full 46 percent of websites do this.

“The overall conclusion remains the same: It pays to have a healthy distrust of even the most popular, trusted websites on the Internet,” the report noted.