kentoh - Fotolia

Vulnerable websites make up half of the internet's top sites

News roundup: A report finds nearly half the internet is filled with vulnerable websites. Plus, SWIFT confirms more hacks, Amit Yoran steps down from RSA and more.

Cybercriminals have their pick of nearly half of the top websites in the world to exploit, according to a new study.

In its "State of the Web 2016: Quantifying Today's Internet Risk" report, Menlo Security classified 46% of the Alexa top 1 million websites as risky. The report focused not just on the top 1 million sites, but also factored in the 25 million background sites that deliver active content to the primary sites.

"By closely examining key characteristics of the background sites, including software version, release dates, CVE IDs and third-party risk intelligence, we were able to discern the impact of these background sites on the primary sites' risk," the report stated.

To gather its findings, Menlo Security used a distributed Chrome-based browser farm to load the homepage of each of the top 1 million websites, and then used a Chrome extension called the Menlo Security Risk Analyzer to monitor the loading and execution of JavaScript on each site. Using the collected data, Menlo Security looked at three factors to determine if the site was risky: if the homepage or background sites used software with a known vulnerability; if the homepage or background site was "known-bad" because of phishing or malware; or if the homepage or background site had a security incident within the last 12 months.

Of the 1 million sites analyzed, the study found more than 350,000 sites are running vulnerable software. This risk factor far outweighed the other two, with sites being "known-bad" coming in at more than 160,000 and sites with a security incident within the last year at approximately 32,000.

Menlo Security further categorized the vulnerable websites and came across more unexpected findings. More than 80,000 "Business & Economy" sites run vulnerable software, which, as the study pointed out, is more than three times as many as in the "Adult & Pornography" category. "Business & Economy" sites also topped the chart in recent security incidents with more than 5,600.

"The vast majority of recent incident categories are ones that an average person would visit while at work, as part of their daily routine," the report stated. "Whom amongst us doesn't check the news and weather each morning? Or get the latest updates on the rich and famous? Or catch up on our shopping, read our favorite blogs or watch a viral video? Risk is ever-present, even with the most trusted, 'legitimate' sites."

With so many major websites found to be risky, more people being infected or attacked more often should follow. However, the study indicated something else. "The fact is there are currently more vulnerable websites than attackers to exploit them." So, users don't have to panic just yet.

However, attackers exploiting vulnerable websites is still a common problem, and Menlo offered three reasons for it: At risk-sites are now easier to exploit than they have ever been; traditional security products don't offer strong enough protections; and phishing attacks now utilize legitimate sites.

The report offered recommendations for enterprises, website owners and end users to deal with the massive amount of risky websites, including isolation and remote browsing. Frequent patching and updates are also encouraged, as well as not downloading documents from untrusted sources.

In other news:

  • The Belgium-based banking messaging service SWIFT confirmed hackers have successfully stolen more funds since the February 2016 theft of $81 million from Bangladesh's central bank at the Federal Reserve Bank of New York. In a letter to the banks that use the network, SWIFT warned of the evolving threat to their systems and disclosed there have been a "meaningful number" of attacks since February that resulted in stolen funds. The letter from SWIFT also addressed the more advanced techniques the hackers have been using, including one that uses software to pose as tech support to access systems. SWIFT hasn't yet detailed the attacks further, or named the victims or amount of stolen funds, but did clarify its own systems have not be compromised.
  • The hacker group known as the Shadow Brokers is selling National Security Agency exploits to buyers one on one. The group has been quiet since it tried to auction off the exploits, but confirmed to Motherboard Dec. 15 it is running a site on ZeroNet. The site lists each exploit by name, type and price, which ranges from 10 to 1,000 bitcoins -- $780 to $780,000. This confirmation also follows the Shadow Broker's promise to sell more NSA hacking tools after publically releasing a cache of them in August. The site is a new format for selling these exploits and, unlike the public release and the auction, could make it more difficult to track what has been sold to hackers and, thus, make it harder to mitigate the threats.
  • Amit Yoran is stepping down as president of RSA to head Tenable Network Security. Yoran is taking over for co-founder and former Tenable CEO Ron Gula starting Jan. 3. RSA has said it has already identified Yoran's successor, but has yet to announce the person's name. Yoran has been with RSA since 2011, when it acquired NetWitness, of which he was CEO. This leaves a vacancy in the keynote speaker lineup for the upcoming RSA Conference in February 2017. RSA was recently acquired by Dell when the computer maker purchased RSA parent company EMC for $67 billion.
  • In an effort to bring more awareness around government surveillance of its users, Google published eight National Security Letters on Dec. 13. The National Security Letters were sent to Google between 2010 and 2015 from FBI offices in North Carolina, Florida, Arizona, New York and California. National Security Letters previously came with a gag order, but the 2015 USA Freedom Act now allows companies to disclose them. In a blog post, Google's Director of Law Enforcement and Information Security Richard Salgado wrote, "We are now making copies of [the National Security Letters] available. Our goal in doing so is to shed more light on the nature and scope of NSLs. We minimized redactions to protect privacy interests, but the content of the NSLs remain as they were when served."
  • Researchers at Proofpoint discovered a new malvertising campaign that infects routers instead of browsers. The campaign, called DNSChanger EK, targets routers in order to insert ads into every site a user visits. The hackers buy ads on legitimate websites and inject them with malicious JavaScript that discovers the user's local IP address. After a complex but quick process, the attacker can take control of the router and use it to replace legitimate ads with malicious ones, or add ads to sites that don't otherwise feature ads. DNSChanger EK primarily targets users of the Chrome browser. While the list of affected router models is still a work in progress, some of the brands are reported to include Linksys, Netgear, D-Link, Comtrend, Pirelli and Zyxel. The only mitigation option currently is to update the router's firmware to the latest version. While DNSChanger EK is unrelated to the Netgear router security flaw, it is the latest in a recent string of router security troubles.

Next Steps

Learn more about the Shadow Brokers' data dump

Find out why major websites aren't catching XSS flaws

Discover whether security seals are a worthwhile endeavor

Dig Deeper on Application and platform security