Skip to main content

Malware explosion: The web is risky

According to a recent study, 46 per cent of the top one million websites are considered risky because the homepage or background ad sites are running software with known vulnerabilities (CVE’s), the site was categorised as a known bad for phishing or malware, or the site had a security incident in the past year.  

According to Menlo Security, in its “State of the Web 2016” report introduced mid-December 2016, “… nearly half (46 per cent) of the top million websites are risky. Primarily due to outdated software, cyber hackers now have their veritable pick of half the web to exploit. 

And exploitation is becoming more widespread and effective for three reasons: 1. Risky sites have never been easier to exploit; 2. Traditional security products fail to provide adequate protection; 3. Phishing attacks can now utilise legitimate sites.” 

This has been a significant issue for years, but came to the forefront earlier this year when several well-known media sites were essentially hijacked by malicious ads. The New York Times, the BBC, MSN and AOL were hit by tainted advertising that installed ransomware, reports Ars Technica. From their March 15, 2016, article, “Big-name sites hit by rash of malicious ads spreading crypto ransomware”: 

The new campaign started last week when ‘Angler,’ a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network.

Everyone can be hit

The results of this attack, reported by The Guardian at around the same time: 

When the infected adverts hit users, they redirect the page to servers hosting the malware, which includes the widely-used (amongst cybercriminals) Angler exploit kit. That kit then attempts to find any back door it can into the target’s computer, where it will install cryptolocker-style software, which encrypts the user’s hard drive and demands payment in bitcoin for the keys to unlock it. 

If big-money media sites can be hit, so can nearly any corporate site, e-commerce portal, or any website that uses third-party tools – or where there might be the possibility of unpatched servers and software. After all, not all organisations are diligent about monitoring for common vulnerabilities and exploits (CVE) on their on-premises servers. When companies run their websites on multi-tenant hosting facilities, they don’t even have access to the operating system directly, but rely upon the hosting company to install patches and fixes to Windows Server, Linux, Joomla, WordPress and so-on. 

A single unpatched operating system, web server platform, database or extension can introduce a vulnerability which can be scanned for, and then exploited, by a talented hacker — or by a disgruntled teenager with a readily-available web exploit kit. 

According to Menlo Security’s 2016 Web Vulnerability report analysing the top million websites as ranked by Alexa, that’s the biggest cause of risk to website operators and consumers: 

Menlo Security considers a site risky if either the homepage, or associated background sites, are running vulnerable software, are known-bad, or have had a security incident in the last 12 months. Vulnerable software was the leading factor in classifying a site as risky. Of the 1 million sites, 355,804 were either running vulnerable software or accessing background domains running vulnerable software; 166,853 fell into known-bad categories, while 31,938 experienced a recent security incident. 

Most vulnerable software

The most vulnerable software is NGINX 1.8.0, which Menlo Security found running on 69,029 of the one million most popular websites. IIS 7.5 was only on 51,927 of those sites. 

The full list of the top 10 most vulnerable software packages Menlo Security found:

  • NGINX 1.8.0
  • Microsoft IIS 7.5
  • PHP 5.3.3
  • Apache 2.2.15
  • PHP 5.3.29
  • Apache 2.2.22
  • PHP 5.5.9
  • NGINX 1.10.0
  • Apache 2.4.7
  • Apache 2.2.31

A must-read reference for anyone concerned about software vulnerabilities is from US-CERT, a part of the U.S. Dept. of Homeland Security, which publishes a comprehensive list of high-risk vulnerabilities in both server-side and client-side software. In the most recent list, published Sept. 29, 2016, consumers and website operators can find a list of software to check for patches and updates, ranging from Microsoft SQL Server to the Oracle Java Development Kit to OpenSSL, a commonly used cryptography library. 

What’s the answer to these malware threats?  For IT administrators, Menlo Security recommends considering new threat prevention techniques, such as isolation and remote browsing, which are advocated by security analysts. Isolation inserts a secure, trusted execution environment, or isolation platform, between the user and potential sources of attacks. By executing sessions away from the endpoint and delivering only safe rendering information to devices, users are protected from malware and malicious activity regardless of the risk-level of any site. 

Menlo Security recommends the addition of threat isolation technology to every security architecture to eliminate the risk associated with all sites, including background sites. If you are a website operator, the most important step is to make sure that you stay on top of CVEs and patch, patch, patch, patch. While it can be a royal pain to continue to upgrade to the latest version of operating systems, web servers, plug-ins and extensions, it is essential to do so. It is also critical to constantly re-evaluate your partners, such as third-party advertising networks, user trackers, analytics tools, behavioural monitors, and so-on. If they are penetrated, you are penetrated – it’s just that simple. 

For end users, Menlo Security offers a solid list of recommendations that go beyond the obvious, like running antivirus software and never ever visiting links embedded in unsolicited email. 

Take a look at their “State of the Web 2016” report – you’ll be better informed about how to protect yourself, your personal data, and your website visitors.  

Alan Zeichick, tech writer, Camden Associates
Photo Credit: