Tuesday, August 7, 2012

Most common threats in top blacklisted sites

The vast majority of the most popular blacklisted websites contain a piece of malicious JavaScript inline. These sites were mostly hijacked by attackers and the malicious code can usually be linked to the Blackhole exploit kit.

Malicious code found on top blacklisted sites
I was surprised to find malicious Java applets in second place, having been found on 10% of the blocked sites. Malicious iFRAMEs were the third most prevalent infection and generally resulted from  mass SQL injection attacks. Only 2% of the sites are trying to foil users into downloading a malicious piece of code through a fake AV, Flash or codec page.

The scam and spam sites are mostly survey scams (the-rewardline.com, station-awardz-central.com, channelrewardscenter.org, etc.) and work-from-home scams (financereports.co). These sites have been blocked by Google Safe Browsing for months.

Since most the blocked sites are legitimate sites with high traffic, they quickly get cleaned up and removed from the Google blacklist. While the average number of days a top-site is blocked by Google is 7 days, the graph below shows that the vast majority are blocked for only a few days:


The number of top-domains blacklisted, can vary considerably on a daily basis, but the trend is upward - from an average of 400 sites in May to more than 1,000 in July.

Number of top-websites blacklisted daily by Google

Here are the top-ranked websites blacklisted by Google since May 2012:

Domain Alexa rank Country
blog.com 681 PT
fatakat.com 699 US
ziddu.com 878 GB
warez-bb.org 1,029 RU
vanguardngr.com 1,528 US
prlog.org 1,555 US
damnlol.com 1,949 US
arabseed.com 2,002 US
h33t.com 2,213 CA
geo.tv 2,606 GB

Small or big, popular or not, all websites are under attack. No domain can be fully trusted and you never know if attackers managed to breach the protections of the website that you're currently on.

2 comments:

Anonymous said...

I find this hard to believe. The majority of the pages contain malicious script code on the site and do not redirect to a different sever that contains the malicious script code?

Julien Sobrier said...

@Anonymous Most pages contain inline JavaScript that loads an IFRAME on the same page, so the user do not leave the original site.