Menlo Security just released their third annual "State of the Web" report and it's not pretty. The headline finding is that 42% of the top 100,000 sites as ranked by Alexa are more dangerous than you think.
The report defines a risky site as one that meets one of three criteria:
- The site, or one of its associated background sites (from which news articles or video is pulled), is running software with a known security vulnerability
- The site has been used to launch attacks or distribute malware
- The site has suffered a security breach in the past twelve months
This first point is key, and often overlooked by security professionals. Any time your website is pulling content from another source, it creates an opening that a hacker could potentially exploit. Worse, most security professionals lack the tools to properly monitor those connections.
As bad as that sounds, there's an even worse detail lurking in the pages of the report, and that concerns emails.
Hackers are increasingly moving away from setting up their own domains. Instead, they're preferring to create a subdomain of a compromised, legitimate domain, which makes it harder to spot. Amir Ben-Efraim, the CEO of Menlo Security, had this to say about the issue:
"It is far easier to set up a subdomain on a legitimate hosting service than use other alternatives - such as trying to hack a popular, well-defended site or to set up a brand-new domain and use it until it is blocked by web security firms. Legitimate domains are often whitelisted by companies and other organizations out of a false sense of security, giving cover to phishing sites.
Also, hosting services typically allow customers to set up multiple subdomains. For example, researchers found 15 phishing sites hosted on the world's 10 most popular domains."
The bottom line is: The web and even the most popular sites on it, aren't nearly as safe as you think.