Follow us

18.5 million websites are ready to hack their visitors

Visiting websites may not always be fun. Sometimes it can leave some malicious content behind

Updated: October 27, 2021 By Hamna Imran

Title image for Websites can hack your device

Image source – unsplash.com

Just like everything that glitters isn't gold, every website on the Internet isn't reliable. With the evolution of technology, cybercriminals are also constantly improvising. Today, hackers are far more sophisticated than in the early 2000s.

How many websites do you visit daily? And, what can they do to your device?

In 2021, websites are limited to entertainment and are a means of business, education, news, and whatnot.

With over 18.5 million unsecured websites at the moment, how sure are you about your Internet's security?

Can visiting a website hack your device?

The short answer is yes!

Visiting unsecured websites can indeed hack your device and steal important information.

These unencrypted websites often request your passwords or credit card information, but some may directly download malware on your device without any permission.

With the outbreak of Covid-19, people have been spending more time on the Internet. Quarantine increased web activity by more than 47%.

People headed to various sites for news watched movies and found other entertainment means in quarantine. It has significantly increased accidents caused by unsecured and malicious websites.

According to the CEO of Tinfoil Security, Ainsley Braun, out of all the websites scanned, 75% have a vulnerability on the first scan.

In 2014, 1.2 billion passwords and login information from 420,000 websites around the globe was stolen by a group of hackers. No significant damage has been caused so far, but the real intent of hacking remains a mystery.

Types of unsecured websites

Cybercriminals opt for various ways to attack through websites. It can be through.

Malvertising or redirecting users to malicious or phishing websites, which then installs malware.

Malware website

A malware website refers to any website containing malicious content, including viruses, time bombs, worms, infected files, Trojan horses, or other harmful programs. These unsafe websites are curated to cause damage to the devices accessing them.

In most cases, the malware installs when a particular file downloads from the site, but sometimes they can begin installing without the user's knowledge.

In 2018, British Airways suffered a data breach with up to 400,000 transactions being affected. The British Airway's website redirects to a malicious website that stole victims' personal and payment information.

Later, the airline was fined £183m along with a damaged reputation.

Phishing website

Phishing websites appear as authentic sites but are a means of accessing confidential information for cybercriminals. The pop-ups asking for personal information to obtain further access may be a way of stealing that information.

Links to these websites are usually sent through emails or SMS to the targeted people.

According to a Google survey in September 2020, around 1,960,000 phishing websites were found. Phishing websites have increased over 2800% in recent ten years.

BlackBerry published research in 2020 regarding a group of hackers named BAHAMUT. They targeted following people through malicious websites.

  • Businesses
  • Consumers
  • Government officials

The malicious websites contained news headlines from authentic sources. The links redirected them to phishing websites harvesting credentials of users.

  • Yahoo
  • Google
  • Microsoft
  • Telegram

Users were later redirected to the authentic page.

Disinformation websites

Disinformation websites deliberately publish fake news. The primary reason behind this is to attract web traffic, while some may publish false news for propaganda.

With over 4 billion people searching the web every day, these false news websites benefit a lot.

During the pandemic, the number of disinformation websites rapidly increased. Around 6000 people were hospitalized in the first three months of the pandemic due to misinformation regarding Covid-19.

Therefore, it is always a good idea to double-check a piece of news before reacting or passing it on.

Malvertising

Cybercriminals inject malicious code into authentic websites. This code redirects users to malicious websites. Attackers can easily target users of reputable websites like The New York Times Online, Spotify, and numerous others.

Malvertising is a significant threat to the reputation of publishers and often result in loss of traffic.

In 2016, The New York Times, BBC, AOL, and NFL were tricked into running a malicious ad that hijacked computers and demanded ransom for recovery.

In another attack, millions of web surfers fell prey to malicious ads that embedded an attack code. The display ads encountered by millions of users called themselves "Browser Defence" and "Broxu."

This is what the display ads looked like

Image source – eset.com

These ads redirected users to Stegano, an exploit kit, and loaded an Adobe Flash file that exploited three vulnerabilities CVE-2015-8651, CVE-2016-1019, and CVE-2016-4117, depending upon the version of Flash found on the victim's system.

Why are unsecured websites dangerous?

Malware and web-based attacks are the costliest cyberattacks.

With everyone storing personal information digitally, it's crucial to ensure your device's protection.

Malware installed through these unsecured websites can serve numerous purposes like

  • Extraction of data from user's device
  • Controlling device
  • Use devise as an entry point to any network
  • Access user's location and activity

Phishing websites can result in crimes like identity theft and cause financial damage.

Even if you're not entering any personal information, the malicious website can get access to your system and alter settings however it fancies.

Malvertising can:

  • Install malware or adware on is user's device
  • Redirect users to malicious or phishing websites

Some of the malware varieties involved in breaches are:

  • Password dumper
  • Capture app data
  • Ransomware
  • Downloader
  • Trojan
  • Capture stored data
  • Export data
  • Exploit vulnerability
  • Scan network
  • RAM scraper

When you accidentally visit a malicious website, the following things can happen:

  • Drive-by-downloads install themselves without any permission. They commonly target Flash, adobe reader, Silverlight plugins, or internet browsers
  • JavaScript infections- after downloading, the malware runs malicious code in the device. Then it could scrape sensitive information or redirect the user to other malicious sites. Google Docs and many other web applications use JavaScript
  • URL injections can target websites like WordPress easily. Hackers embed malicious code in the website, which redirects the user to malicious websites automatically. Browser hijackers can also do this

Current issues the security officials are most concerned about

The risk of a data breach makes it essential to avoid any web-based threat. The average cost of a data breach is around $3.86 million.

How to identify an unsecured website?

There are as many malicious websites over the Internet as there are legitimate websites. Here, the question arises, "But how to identify a malicious website?"

Well, there are some flags you can notice to identify a malicious website.

Some common ways to identify malicious websites

While these are some outdated tactics, you'll need to be more careful to identify sophisticated malicious websites. These tips will surely help you:

  • Look whether the site address has "HTTPS" in it. If it doesn't, the chances of it being a malicious site are high.
  • Observe the URLs. If they have incorrect spellings or appear suspicious, leave!

For instance, www.google.com seems like a valid URL but www.google[something].com seems suspicious.

Suspicious links

Another way is to pay attention to small symbols along with the URLs.

Symbols along with URLs

Image source – uvic.ca

On 24 July 2018, Google declared websites using HTTP unsecure, after which a massive number of websites upgraded it to HTTPS. But why is HTTPS important?

HyperText Transfer Protocol Secure (HTTPS) makes the communication between browser and website secure.

HTTP vs HTTPS

Image source – seopressor.com

Unfortunately, several famous pages are still not on board.

Unsecure websites

6% of the world's largest 1,803 websites, which makes up to 100 websites, are unsecure as they are still using HTTP. Some of these are mentioned below.

Top Unsecure Websites

Image source – avira.com

The top 10 host countries of malicious IP addresses, according to Webroot, an internet security provider, are

  1. USA
  2. Russia
  3. China
  4. India
  5. Vietnam
  6. Indonesia
  7. Netherlands
  8. Ukraine
  9. Taiwan
  10. Germany

In 2020, the following were some most commonly blocked domains.

Note: You should not visit any of the domains listed in the table below. Doing so will put you at risk of a cyberattack. The [ ] are inserted to make links un-clickable.


Domain
Threat Type
Hits
bellsyscdn[.]com
Malware
736477
findresults[.]newminer-sage[.]com
Malware
9216
newage[.]radnewage[.]com
Malware
9005
toknowall[.]com
Malware
8957
nextyourcontent[.]com
Compromised
6480
h1[.]ripway[.]com
Malware
6437
differentia[.]ru
Compromised
6158
uk[.]at[.]sharebutton[.]co
Phishing
5976
disorderstatus[.]ru
Compromised
5663

The topmost malicious file types that users are encouraged to download on unsecured websites are:

  • Exe
  • Pdf
  • Swf
  • Doc
  • Apk
  • Msi
  • Rtf
  • Js
  • Html
  • xls

Ways to protect from malicious websites

Although you may not be able to identify every malicious website quickly, here are a few ways you can protect yourself from a few.

  • Avoid clicking links in your emails. Instead, type the link in your browser.
  • If the link seems suspicious, don't click it
  • Carefully read the URL. If there are any spelling mistakes or don't appear legitimate, avoid clicking them
  • Right-clicking on the link and clicking properties will lead to the destination of that link.
  • Look for the lock icon and 'HTTPS' while opening a link
  • Keep your web browser update
  • Utilize the security tools of your internet browser. They filter most of the insecure websites and often display warnings before proceeding

Using network monitoring tools is also helpful in protecting against web-based attacks.

To enable "always use HTTPS" on Google:

  • Sign in to your Gmail account
  • Select Settings and click on Mail Settings
  • Set Browser Connection to 'Always use HTTPS' in the General tab
  • Save changes

Other security measures include downloading Antivirus with ad-blocking functions like Malwarebytes and using a URL decoder to know what is hidden in it.

Infographic

The infographic includes some crucial statistics of attacks through websites and average costs of data breached, along with some serious threats.

An Infographic showing the threats to website users

Feel free to share the code of infographics

<iframe width="574" height="2597" frameborder="0" scrolling="no" style="overflow-y:hidden;" src="/sites/default/files/pictures/security/can-website-hack-your-device/can-website-hack-your-device-8.jpg"></iframe>

Conclusion

In most cases, the host websites are trustworthy, and the ads or attachments seem harmless, making it difficult to spot an insecure website.

In 2021 it is challenging to protect ourselves from these web-based attacks, but keen observation and some good security tools can indeed help us.

Stay tuned for more valuable content!

Tags: 
Security
Author
Hamna Imran
Cyber Security student and keen learner, writing articles for several other websites.

Leave a comment

click to select