Half of the world’s most popular sites are 'at-risk'

Popular domains are running on servers with software older than a decade

A user browsing the internet comes across a security alert

Almost half of the world's most popular websites have been declared 'risky' by new research, but the UK is among the least dangerous places in which to surf the web.

An analysis of the Alexa Top 100,000 websites for the first half of 2018 showed 42% were considering risky to web users, according to criteria outlined in Menlo Security's mid-year State of the Web report published this month.

Websites were deemed at risk if they were built on, or routinely connected to, sites that used vulnerable server software, if the site had been exploited to distribute malware or launch attacks in the past, or if the site had suffered a security breach in the previous 12 months.

But the UK is among the safest countries, of six nations analysed in greater detail, in terms of the various factors associated with risky web browsing, including the number of executable scripts and the amount of code downloaded.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"People in different countries prefer different websites, and the risks associated with using the most popular sites in those countries varies accordingly," the report said.

The researchers examined the top 50 websites in each country, analysing how much code was fetched and executed by the sites, as well as the type of code, its origin, and how many sites used vulnerable server software.

The UK had the second joint-lowest average number of scripts executed per website, 41, as well as the single website with the highest number of scripts executed from background domains, 156. Such scripts enhance the browsing experience, but can also be hijacked by malicious actors to launch attacks, the report said.

Meanwhile, the UK ranked third for the average amount of code downloaded from websites, 1.55MB - versus the first-placed US which downloads 1.83MB of code. Only 52% of websites in the UK downloaded more than 1MB of code onto a user's device, second-lowest of all, while 64% of sites in Australia downloaded more than a megabyte.

"The web remains a dangerous place for users to work and play," the Menlo Security concluded.

"Strong precautions are needed to ensure that users, their devices, and the networks, apps, and clouds used by organizations aren't infected and infiltrated by attackers."

Advertisement - Article continues below

Vulnerable web software was pinpointed as a particular weakness, with many of the world's most popular sites running on back-end servers that are outdated, including some that haven't been updated in years. Such websites, the report said, are extremely vulnerable to malware, and expose visitors to infections, or breaches, at a higher rate.

Menlo Security's analysis showed 7.6% of web domains that delivered malware, or were tied with phishing operations, are being hosted on vulnerable servers - including sites running on outdated versions of Apache, nginx, Microsoft IIS, and Drupal, among others. The oldest software being used among the top 50 websites in the US, for instance, was PHP version 5.2.3 - released more than a decade ago, in 2007.

"Active content downloads and scripts running in the background will continue to be essential to providing a great, dynamic web experience, but there is no excuse for popular websites to use vulnerable server software," the report continued. "Doing so creates a clear and present danger to the sites' visitors and to the websites to which it serves background content."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020