Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • 42% of the top 100,000 sites on the web are using software that leaves them vulnerable to attack, or have already been compromised in some way. — Menlo Security, 2018
  • 4,600 phishing sites use legitimate hosting services to avoid detection. — Menlo Security, 2018

Many of what we consider the safest places on the web are actually quite risky for business professionals and consumers to visit, according to a new report from Menlo Security. Some 42% of the top 100,000 sites on the web, as ranked by Alexa, are either using software that opens them up to attack, or have already been compromised in some way, the report found.

Cybercriminals have exploited long-held measures of trust, including the reputation or category of certain websites, to avoid detection and increase the effectiveness of their attacks, according to the report. That means businesses must be extra vigilant in ensuring cyber hygiene practices are in place, including employee education and several layers of protection.

The average website connects to 25 background sites for content, such as video clips or advertisements, the report noted. Most enterprise security administrators lack the necessary resources to monitor these background connections, which leaves the business vulnerable to backdoor attacks.

SEE: Security awareness and training policy (Tech Pro Research)

Further, efforts to sort sites into different categories are largely ineffective, the report found. For example, sites that fall into the “Business and Economy” category experienced the most security incidents in the past year, and hosted more phishing sites and contained more sites running vulnerable software, such as PHP 5.3.3, than any other category–including “Gambling.”

Some 49% of “News and Media” sites were considered risky, as were 45% of “Entertainment and Arts” sites, and 41% of “Travel” sites, the report found.

Phishing attacks are also growing increasingly sophisticated: Some 4,600 phishing sites found in the report use legitimate hosting services to avoid detection, the report noted. It is easier for attackers to set up a subdomain on a legitimate hosting service than to use other alternatives, and these domains are often whitelisted by companies.

Typosquatting–or the act of setting up fake domains containing misspelled words to be used for phishing and malware delivery–remains alive and well, the report found. Some 19% of categorized typosquatting sites were found in trusted categories, such as financial services and news and media.

“This report confirms what most CISOs already know: that a false sense of security is a dangerous thing when using the web,” Amir Ben-Efraim, CEO of Menlo Security, said in a press release. “Despite website operators’ best efforts, cyber-criminals can now exploit widespread vulnerabilities to compromise even the most trusted brands on the web.”