Connect with us

Hi, what are you looking for?



Dozens of Alexa Top 25,000 Domains Serving Malware to Millions, Firm Says

An analysis of the Alexa top 25,000 most popular domains revealed 58 were serving malicious content during the month of February – translating to more than 10.5 million users being targeted by malware, according to research by Barracuda Networks.

An analysis of the Alexa top 25,000 most popular domains revealed 58 were serving malicious content during the month of February – translating to more than 10.5 million users being targeted by malware, according to research by Barracuda Networks.

The firm also found that on average, two of the Alexa top 25,000 domains serve malicious content each day. In addition, Alexa top-ranked domains served malicious content 23 of the 29 days in February, underscoring that the problem is persistent, argued Barracuda Networks research consultant Paul Royal.

“While Alexa does not publish the total number of page views it uses to determine site rankings, there exists sufficient information to determine that number,” Royal explained in a blog post. “As an example, Wikipedia, which represented ~0.54% of total Alexa views in February 2012, reported ~15.75 billion views for the previous month. Working backwards, we can thus calculate that Alexa used an average of (15,756 * 1,000,000)/(29 * (0.5416/100)) = ~100.31 billion views each day to rank the popularity of websites.”

“Using [that] number,” he continued, “we can calculate the affected views for a given site in a 24-hour period. As an example, free-tv-video-online[.]me, which via an ad network served visitors malicious content on February 13, represented ~0.0053% of the total Alexa views, which yields 5,366,895 affected views for that day. However, to estimate how many users were served exploit content, this number must be adjusted to account for the average number of views per user. Fortunately, Alexa makes this information available.”

“Continuing with the example, free-tv-video-online[.]me has an average of 7.2 views per user,” Royal added. “Thus, for this site, 5,366,895 views equates to 745,402 users served malicious content on February 13. Across all 58 sites that (directly or indirectly) served malicious content, there were 44,160,016 affected views from 10,541,379 users.”

Almost all of the sites hitting visitors with malicious content were a year old or more, and more than half of the sites were older than five years. That means attackers were specifically utilizing well-established, long-lived sites for their drive-by download operations, Royal noted.

“Of course, not every user served malicious content was compromised,” he added. “To estimate the number of successfully exploited users, we used several different sources, including Wikipedia’s browser statistics. To begin, if we examine platform and browser popularity, only about half (or 50.81%) of users (who run Windows and IE or Firefox) possess properties conducive to exploitation. According to Adobe, 73% of PC users have the Java plugin installed,” Royal noted. “According to Qualys, 42% of users with the Java plugin installed have versions vulnerable to exploitation. Thus, of 10,541,379 users served malicious content, 42% (insecure Java) of 73% (Java installed) of 50.81% (Windows and Firefox/IE), or 1,642,172, were likely compromised.”

Advertisement. Scroll to continue reading.

Just recently, an exploit targeting patched-Java vulnerability CVE-2012-0507 was observed being offered as part of the BlackHole crimeware kit. According to Rapid7, users typically lag far behind when it comes to deploying Java fixes. In the first month after a Java patch is released the fix is deployed by less than 10 percent of users, the company told SecurityWeek last week.

The domains spanned 18 different countries, meaning that the problem has no geographic barrier, Royal added.

The infographic below summarizes Barracuda Networks’ findings.

Malware Served from Popular Websites

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...