According to recent research, the security of the internet at large is shaky. Menlo Security reported that 42 percent of the top 100,000 websites as ranked by Alexa are potentially compromised and risky for users. To make matters worse, typical measures to weed out bad actors, including site reputation and category regulation, make little difference when it comes to overall security.

Neighborhood Watch

Digital citizens have established trusted neighborhoods — clusters of reputable sites that handle data responsibly, leverage cutting-edge internet security measures and stay up to date with threat developments. Typically, these sites have hard-won online reputations to back up these claims.

As noted by SC Magazine, however, cybercriminals are using public and corporate perceptions of trust to launch background, phishing and typosquatting attacks. As a result, more than 40 percent of trusted sites are considered risky because they’re running vulnerable software, have been used to distribute or launch malware attacks, or suffered a security breach in the last 12 months.

One particular area of concern is the number of background sites leveraged by trusted domains for content such as video or online advertisements. According to Infosecurity Magazine, the average website uses 25 background connections to deliver this content, but most enterprise administrators don’t have the monitoring solutions in place to determine whether these connections exhibit risky or criminal behavior.

User trust is also exploited through typosquatting. According to the Menlo Security data, 19 percent of typosquatting attacks — in which fraudsters claim domain names that are almost identical to those of familiar sites but with small typos — occurred in trusted website categories. Phishers also used the cover of legitimate domains to obfuscate their intentions and convince users to click on malicious links or download infected attachments.

Filling Internet Security Gaps

According to Menlo Security CEO Amir Ben-Efraim, the company’s recent study “confirms what most CISOs already know: that a false sense of security is a dangerous thing when using the web.” But what’s driving this overconfidence in a technology landscape filled with emerging threats?

Transparency is part of the problem. Most enterprises don’t have a clear picture of the risks posed by background sites and delivered content. Companies are also getting complacent once they reach a position of consumer trust, especially if they’ve successfully avoided recent internet security threats. In other words, there’s a sense that current firewalls and antivirus tools are enough to keep sites safe.

But a the Menlo data demonstrated, the opposite is true: Trusted sites are some of the most risky. Companies can’t afford to ignore background content simply because it’s never proven problematic before, because cybercriminals will exploit anything and everything connected to their intended targets.

Employee education is equally crucial. Attacks exploiting the human element, such as failure to notice typosquatting or getting duped by phishing emails, make up the lion’s share of successful trust-hacking. Educating employees cuts these attacks off at their source and improves total security hygiene.

Despite appearances, internet security for top sites is spotty at best. Organizations need to figure out how to track exactly what’s coming, going and happening on their networks.

More from

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read