Facebook. Paypal. ESPN. Google. Amazon. These are sites you probably visit all the time, sites you inherently trust. But a new report from Menlo Security released Tuesday says that trustworthy sites are not necessarily safer.
Menlo pulled out the top 1 million domains on the Web and reviewed them all for potential vulnerabilities. The results were startling. One in three fell into the category of "risky," meaning that they had either already been compromised by hackers, or were running vulnerable software that leaves them open to attack.
Menlo did not disclose which sites were vulnerable. But many of the potentially dangerous sites discovered weren't porn sites or questionable domains. It was nearly as likely that a website related to transportation, health and medicine, technology or business would put visitors at risk of exposure to damaging malware. In fact, one in four of the most trusted sites -- education and government domains -- were found to be vulnerable.
Ninety percent of malware infections come from basic Internet browsing, according to Menlo.
"With today's increasingly sophisticated malware, simply navigating to a compromised website or opening a document can unleash a whole slew of malware onto a user's computer," analysts wrote.
Forbes.com was hacked at the end of last year, redirecting users to an outside site where malware was surreptitiously downloaded onto their computers. And readers of Huffington Post, LA Weekly and other sites were hit with ransomware from infected advertisements in January. Users didn't have to click on the malicious ads to be affected.
Security firm Cyphort noticed the malvertising and commented that "drive-by" attacks like this would be a major security challenge in 2015.
And it's not just your computer that's at risk, said Menlo, but others on your company or organization's network, and beyond. "Once an endpoint has been compromised, an attack can quickly spread to other systems both within and outside the user's organization."
In its analysis, Menlo cross-referenced 1.75 million URLs against a list of known malicious sites, checked the reputation of the IP address associated with each, and fingerprinted the software running each website to assess whether it had been updated with the latest security patches (21 percent hadn't been).
The company pointed out that none of these tasks required "special or invasive means," meaning that anyone with a little knowhow could have done the same, identifying weak spots -- for good or for more nefarious purposes. "Attackers need no more than a standard browser to find vulnerable sites to exploit," the researchers said.