According to a new study of the top one million domains, 46 percent are running vulnerable software, are known phishing sites, or have had a security breach in the past twelve months.
The big problem is that even when a website is managed by a careful company, it will often load content from other sites, said Kowsik Guruswamy, CTO at Menlo Park, Calif.-based Menlo Security. For example, news sites -- 50 percent of which were risky -- typically run ads from third-party advertising networks. And it's not just ads.
"The Economist, for example, has a plugin that does a popup if you are using an ad blocker," said Guruswamy. "And that popup had malware in it. I bet The Economist had no idea that their website was hacked." In fact, unintentional, background requests for additional content outnumber intentional requests by actual human users by 25 to one, according to the report.
So an enterprise that blocks its users from accessing domains by category, or only allows certain approved categories of domains, would not pick up on the problem because the The Economist is a reputable, useful news site.
"And a lot of enterprises are using security products based on the category of content being delivered," Guruswamy added. "You get the link and you click on it, and it's a phishing page, but the security policy allows it because it's a news site." The malicious site can then deliver a drive-by malware download, or it can serve up a spoofed banking page and harvest account credentials, he said.
News and media sites were most likely to be risky, at 50 percent, followed by entertainment sites at 49 percent, and travel sites at 42 percent. The largest source of risk was vulnerable software. About 36 percent of all websites were either running vulnerable software, or getting content from other locations running vulnerable software.
"What we designed is a passive scan of the page that would identify the type of software the site was running, and not just the main site, but all the sites the page is loading," said Guruswamy. "And then we'd look up the software version in the national vulnerability database and check for known vulnerabilities." The next biggest risk factor was if a website was known to be malicious, or pulled content from a malicious domain. About 17 percent of the top million Alexa websites fell into this category.
For example, the single largest category of known-bad sites was pornography, with nearly 38,000 websites known to deliver phishing or other attacks. But pornography ranked far down the list when it comes to vulnerable software -- the business and economy category actually had the most sites with known vulnerabilities, at more than 82,000, followed by society, personal sites and blogs, shopping, news and media.
Finally, 3 percent of sites had experienced a recent security incident. Guruswamy suggested that enterprises look beyond simple website categorization strategies to protect their users from phishing attacks since the bad guys have, in effect, half the Internet at their disposal.
Enterprises that host websites should also step up and do more to protect their visitors, including making sure that all their software is up to date, and the sites that they embed content from also are current. For example, nearly 70,000 of the top million websites run the vulnerable nginx 1.8.0 server software. The next most dangerous software is Microsoft's IIX 7.6 web server, which dates back to 2009. 2010's PHP 5.3.29 is in third place, with nearly 32,000 websites.