1 Out Of 3 Sites Are Vulnerable To Malware
A new report published this morning by Menlo Security has alarmingly suggested that at least a third of the top 1,000,000 websites in the world are at risk of being infected by malware. While it’s worth prefacing the findings with the fact Menlo used Alexa to compile the list of the top million – a ranking site which is notoriously flawed with spammers and companies paying to have their own numbers inflated – it is still a worrying trend.
Although the use of the Alexa data might be questionable, the Menlo study’s methodology was sound. They scanned 1.75 million URLs before checking each one against third party classification systems to see if it was reported as malicious, checking IP addresses against a reputation database, and issuing a web request to each URL so they could fingerprint the response and determine what software was in use. The results are astounding – the report found one in five sites are running software with known vulnerabilities, and one in twenty sites were identified by 3rd-party domain classification services as serving malware or spam, or are part of a botnet.
The report claims that its findings prove that the concept of a ‘trusted’ site is a fallacy – with a billion websites already online and an extra 100,000 being added every day, companies’ websites are now being threatened by other sites that are out of their control. They use the example of the recent Forbes.com hacking, which saw attackers exploit a WordPress vulnerability to insert malicious code into the site that was then delivered via the ‘trusted site’ for an unspecified amount of time – possibly months.
Menlo Security’s CTO, Kowsik Guruswamy, had the following to say: “Vulnerable servers (like in Forbes, James Oliver, etc.) are being exploited by cyber criminals as a launching pad for delivering malware to unsuspecting end users. If anything, this act is trending higher. As SSL on the Internet becomes more prevalent, enterprises are going to face a much higher risk. This is partly because most enterprises, for privacy reasons, don't inspect SSL traffic and this is an easy channel for malware to ride on without getting noticed.”
The Worst Offenders
So which sites and sectors can you trust? Unsurprisingly, the worst offenders in the report were sites labelled as “Hate and Intolerance”, with sites that promoted content about violence and child abuse showing vulnerability rates of almost 35 percent. In the regular web, the report noted concern about the number of sites in typically trusted sectors that showed vulnerabilities; for example transport, health, and medicine sites had a rate of 20 percent, while tech sites and business sites both exhibited around 18 percent rates.
What is the solution? We’ve already see more than $70 billion spent on cyber security tools in 2014, yet somehow malware always manages to stay one step ahead. Menlo argue that the incident similar to the Forbes hack will become increasingly common until someone addresses the source of the problem by developing a new tool that can completely stop all web attacks before they reach their target, rather than just investing in new tools that do a better job of detecting infected systems and limiting the impacts of security breaches.
What do you think? Is Menlo’s report accurate? How do you envisage the future of cybersecurity? Let us know in the comments below.
By Daniel Price