We scan a lot of websites per day. Through our daily work we see all sizes and types of websites compromised, blacklisted, and filled with various security issues. But, we don’t often aggregate the results to provide a public report of what we are seeing.
So last month, we decided to do just that. We decided to scan the most popular websites on the internet to see how bad, or good, they are in terms of web security.
Our testing was very simple. We chose the top 1 million sites (according to Alexa), and checked the sites for those 4 issues:
- Is the site Blacklisted? Sites were checked on Google, Norton, McAfee, ESET and Sucuri Labs.
- Is the site infected with hidden SPAM?
- Is the site infected with malware like drive-by-downloads, exploit kits, and similar issues?
- Is the site running outdated software?
If the site passed those 4 tests, it would be considered safe for our testing purposes. Let’s see how the sites did.
A site generally ends up blacklisted when an engine detects something malicious on it. Being blacklisted is one of the worst things that can happen to a webmaster because it means less users will visit their site. If a user is blacklisted by Google for example, anyone using Chrome or Firefox will get a big red warning page when trying to enter the site.
From the top 1,000,000 sites, 18,557 of them are currently blacklisted. That’s almost 2%.
McAfee (Siteadvisor) is the most aggressive of them all, having almost 11,000 of the sites blacklisted under their engine. They are followed by Sucuri Labs and Yandex, with almost 2,000 sites each.
What is surprising is that Google is way at the bottom, with only 357 sites currently flagged by them.
SEO SPAM is one of the most common type of injections we see on compromised sites. SPAM is often very hard to be detected by website owners because it doesn’t cause any short-term impact or warning. In the long-term however, webmasters will notice the PR (page ranking) decrease, and their search engine results poisoned with incorrect keywords, and redirects.
Not surprisingly, 4,836 (0.5%) of the sites had some type of hidden SPAM. We found anything from sneaky links, to conditional redirections.
Any type of injection that could harm the end user visiting the site, we classified as malware. The number of sites that were flagged was very high.
44,317 (4%) of all the sites tested had some type of malicious injection. The most popular injection was related to the Blackhole Exploit kit, covering almost 3,000 websites. That was followed by iFrame injections and conditional redirections, generally done by changes to the .htaccess file.
Running outdated software
The results of the this test really scared us. 67,509, yes, 67 thousand websites out of the top 1,000,000 are running outdated software. That’s almost 7% of all of them.
The most common platform running outdated software was WordPress with 55,000 outdated sites, followed by Joomla and vBulletin.
1789 Drupal 5334 Joomla 2550 Magento 106 osCommerce 1875 vBulletin 55837 WordPress
Please note that we did not include outdated plugins or components in our testing. What’s really scary is that most website compromises actually happen because of vulnerable software that is not patched in time. We even released our own Cloud-based WAF to help people that can not update their sites, in an effort to provide virtual patching for them.
The very alarming final number is that 108,781 (more than 10%) of the 1 million sites tested had some type of issue, and didn’t get a healthy/safe result. The overall numbers are very close to what we reported in our 2012 Web Malware Trends Report
Share the results
We have put together a cool infographic tallying up all the numbers. Feel free to share the numbers to your network, awareness is the key to reducing these issues:
Here’s a video breakdown of the report:
Please let us know if you have any questions below in the comments, and if you need a hand, feel free to email us at firstname.lastname@example.org.