Four in 10 Top Websites Are Dangerous

Four in 10 of the top websites pose dangers to their visitors. According to cybersecurity vendor Menlo Security, out of the top 100,000 websites as ranked by Alexa, 42 percent are "risky." A risky website is any site that fits one of these criteria:

  • Either the homepage or an associated background site is running vulnerable software;
  • It's known to distribute malware or launch attacks; or
  • It has already suffered a security breach in the past 12 months.

The use of background services is especially troubling, according to Menlo, which published its findings in a "State of the Web 2017" report.

While the security industry puts a lot of attention on the behavior of website visitors, the report noted, "much of the damage wrought by cybercriminals happens behind the scenes, as websites connect with so-called 'background sites.'" Menlo's researchers found that websites rely on an average of 25 other background sites to produce content, such as displaying a video from a media server or serving an ad from an advertising network. Many antivirus and web-filtering programs focus on the primary domain while ignoring the calls to those background sites, the report stated.

Although the report didn't list problematic websites, it did categorize them by type of content. For example, 49 percent of news and media sites "satisfied" at least one of three criteria of riskiness, as did 45 percent of entertainment and arts sites and 40 percent of personal sites and blogs.

While the adult and pornography category had the highest number of risky sites, business and economy sites led the way in the "trusted" category.

Another source of problems is the reliance on "aging software technology," programs that have been around long enough to be "repeatedly compromised" through the years, Menlo researchers asserted. For example, 32,000 sites that were part of the study used Microsoft IIS 7.5, a version released with Windows 7 and Windows Server 2008 R2. Here, business and economy sites led the way, with 51,045 websites relying on software classified as "vulnerable." Also, 9,452 websites for educational institutions made the list of vulnerable sites.

The Menlo report highlighted the problem of websites being identified as unsafe by web security firms, only to transition to a trusted category temporarily and then back again. One unnamed security company, for example, assigned a website to a "Phishing and Other Frauds" category and then briefly reassigned it to a "benign-sounding" category for a couple of days, before yanking it back to the untrusted side.

Menlo advised website owners to run the latest software for their websites and to try programs such as "content-security-policy," to minimize access to malware through background sites. It also encouraged users to "download software updates religiously," stay away from Adobe Flash and use the Chrome browser "when possible." A final bit of advice was to use isolation techniques for web surfing, such as moving the execution of web content to the cloud, preventing malicious code from reaching the user's device.

The report is available with registration on the Menlo Security site.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • open laptop in a college classroom with holographic AI icons like a brain and data charts rising from the screen

    4 Ways Universities Are Using Google AI Tools for Learning and Administration

    In a recent blog post, Google shared an array of education customer stories, showcasing ways institutions are using AI tools like Gemini and NotebookLM to transform both learning and administrative tasks.

  • illustration of a human head with a glowing neural network in the brain, connected to tech icons on a cool blue-gray background

    Meta Launches Stand-Alone AI App

    Meta Platforms has introduced a stand-alone artificial intelligence app built on its proprietary Llama 4 model, intensifying the competitive race in generative AI alongside OpenAI, Google, Anthropic, and xAI.

  • three main icons—a cloud, a user profile, and a padlock—connected by circuit lines on a blue abstract background

    Report: Identity Has Become a Critical Security Perimeter for Cloud Services

    A new threat landscape report points to new cloud vulnerabilities. According to the 2025 Global Threat Landscape Report from Fortinet, while misconfigured cloud storage buckets were once a prime vector for cybersecurity exploits, other cloud missteps are gaining focus.

  • Stylized illustration showing cybersecurity elements like shields, padlocks, and secure cloud icons on a neutral, minimalist digital background

    Microsoft Announces Security Advancements

    Microsoft has announced major security advancements across its product portfolio and practices. The work is part of its Secure Future Initiative (SFI), a multiyear cybersecurity transformation the company calls the largest engineering project in company history.