Story image

Top 50 websites in Australia serving 'risky code' to visitors

08 May 18

Seven of the most popular websites in Australia served active code from risky ‘background sites’, which means anyone visiting those websites may be at risk of being exposed to malware.

Menlo Security’s April Top 50 Report for Australia tests were designed to find out how the top 50 websites in Australia run code, and how systems behind the scenes determine the content.

“What's not obvious to the end user is that a visit to one of the top 50 website also results in the browser loading active content from many other sources,” the report says.

The top 50 websites were categorised as ‘news and media’, ‘social networks’, and ‘computer and internet info’.

Seven of the sites were serving active code from ‘background sites’ marked as ‘parked sites’, ‘adult and pornography’, ‘uncategorised’, ‘business and economy’ and ‘CDNs’.

“The total number of scripts executed, especially when they are fetched and executed from the risky "background domains" significantly increases the risk of visiting a website,” the report says.

A browser will typically execute 44 scripts when directed to a top 50 website, however in this study 32% of the websites executed more than 50 scripts and the top website executed 155 scripts from 31 different background domains.

Browsers use ‘background initiated requests’ to deliver tracking, ad networks and CDNs, however the website owner often has very little control over the security posture of background sites.

“We've seen a number of breaches in the recent past where a background site was breached and a visit to one of the ranked site resulted in a malware drop,” Menlo Security says.

On average, when visiting a top 50 website in Australia, a browser will download 1.58MB of code. The top site in Australia was a News and Media site that downloaded 5.65MB of code. 66% of the top sites executed more than 1MB of code.

Escalating security concerns, two of the top 50 sites ran vulnerable versions of web code software at the time of testing, showing that vulnerable servers are powering the top 50 websites in Australia.

“This is important because the older the software, the higher the risk. The software versions were then fingerprinted against the National Vulnerability Database so we can better understand the security posture and the risks of these sites. A site in the top-50 was marked as vulnerable if either itself or one of the ‘background sites’ it uses were running vulnerable software.”

Microsoft-iis/7.5 was the most prominent vulnerable version reported with known software vulnerabilities.  The oldest vulnerable software was Microsoft-iis/7.5, that was released in 2009.

The firm says that organisations should be aware that while developers use scripts to enhance a website’s user experience, attackers can use scripts to conduct iframe redirects and deliver malvertising links.

Now going to any popular website is associated with some risk.

“Security professionals have been using browser plugins like NoScript for years, however it makes the web surfing experience much harder. For many non-technical users, it's not really an option to deploy, meaning the vast majority of users cannot make an educated choice on script permissions.”

The secret to scaling DevOps in the digital era
"Organisations around the world have learnt at a cost that while agile DevOps methodologies can result in improved outcomes within teams and projects, they have a propensity to fail miserably."
APAC FinTech network launches to encourage cross-border innovation
Nine associations formally launched the network by signing a Statement of Intent at the Asian Financial Forum event in Hong Kong.
New blockchain solution aims to keep our food ethical
OpenSC enables anyone to scan product QR codes which automatically takes them to information about where a specific product’s journey.
Avaya expands AI offerings with new partnerships
The additions to the ecosystem will enable Avaya to add prioritisation and natural language processing to its UC solutions.
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
SUSE partners with Intel and SAP to accelerate IT transformation
SUSE announced support for Intel Optane DC persistent memory with SAP HANA.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."