14 DAY TRIAL // A scan of 750,000 unique domains in the top 1 million in Alexa’s popularity ranking revealed that about a third of them present risks to the visitors as they have been found to already be compromised or to run vulnerable code that could be exploited for different attacks.
In more than 6% of the cases, some domain classification services identified that malware or spam is being served or the websites are part of a botnet.
Unpatched software is main cause of concern
The research was conducted in mid-January 2015 and published in March by Menlo Security, a cyber-security startup bent on eliminating advanced malware, and involved verification of more than 1.75 million URLs.
The links were checked against third-party systems that determined the field of activity they belonged to and if they were present on lists with known malicious websites.
According to the company’s results, 21% (one fifth) of the scanned websites ran outdated software such as web servers, content management systems (CMS), which presented known vulnerabilities.
Spotting vulnerable sites is not difficult
A breakdown of the risks identified shows that more than one in ten websites rely on a vulnerable versions of PHP application framework and 8% work with unpatched variants of Apache and IIS web servers.
CMS software (WordPress and Drupal) presenting risks was found in 2% of the cases, with approximately the same numbers for each of the two solutions.
The report from the company says that determining the risks stemming from a websites infrastructure did not require special methods.
“Information regarding a site’s underlying software infrastructure is routinely returned to any browser that makes a Web request. Attackers need no more than a standard browser to find vulnerable sites to exploit.”
Categories like health and medicine, computers and technology, transportation or business had the highest number of websites presenting an exploitation risk, the study found.
Apart from investing in new tools capable of preventing and detecting attacks, organizations have an easy solution at hand: keeping track of new releases for software used on the website and applying all security updates as soon as possible.
