Wednesday, July 11, 2012

Visualize the top blacklisted sites

In the past month, I've been looking at the websites blacklisted websites by Google Safe Browsing from the Alexa top 1,000,000 sites. There are between 300 and 500 of these sites blocked everyday, mostly legitimate websites that have been compromised.

I was interested in the geographical distribution of these sites. Here are the number of blocked (malicious and hijacked) sites per country (based on the website IP address), in absolute numbers. Note that to make the map useful, I decreased the number of blocked sites hosted in the US from 146 to 42 on the map because it was over 4 times that of the #2 (China).

Country hosting popular websites blacklisted by Google Safe Browsing
As shown before, the US is hosting the biggest number of blacklisted sites (146), followed by China (45), followed by Germany (32) and Russia (26).

It is not surprising to see the US be #1 since they host more popular sites in general. Germany is also a popular hosting country, with lower prices than its neighbors. So I decided to show the map of blacklisted sites in relative numbers: number of blacklisted sites / number of sites hosted:

Country hosting popular websites blacklisted by Google Safe Browsing in relative numbers
The distribution is pretty even amongst countries with a big Internet user population. The reason why a few small countries (Sri Lanka, Venezuela, Georgia, etc.) stand out is that they host very few sites (small sample size), so having just one or two sites blacklisted increase their percentage a lot.

Most of these blocked websites are legitimate sites hijacked as part of massive attacks spanning thousand of websites. Attackers constantly scan websites for known vulnerabilities, and they can be highly successful by finding vulnerabilities on popular websites. Blocked Chinese sites host malicious content that is very different from what I've seen in other countries (see examples in the last paragraph of this post).

Do not think your personal website is safe because is has too little web traffic to attract attackers. Scans and attacks are done automatically, targets are compromised with very little resources. No website is too small to be left uncompromised.

2 comments:

Andrew Seidl said...

The first paragraph of this article reads "In the past month, I've been looking at the top 1,000,000 websites blacklisted by Google Safe Browsing. There are between 300 and 500 of these sites blocked everyday, mostly legitimate websites that have been compromised." However, the linked article suggests that you were actually measuring the number of the 1000000 top most-visited websites that were blacklisted, and the sum of the numerical info on the map seems closer to the number of sites you say are blacklisted than to a million. Is this an oversight of some sort or am I just missing something?

Julien Sobrier said...

@Andrew Seidl - Thanks for the comments, I've modified the sentence to make it clear it is the blacklisted sites amongst the top 1-million websites.