If you are not familiar with March Madness, it's the single-elimination basketball tournament played each spring in the United States, currently featuring 68 college teams. It's one of THE most famous sporting events in the United States. As we head into the Sweet Sixteen bracket, we thought it might be prudent to analyze the Top 10 sports sites in the U.S. based on the Alexa ranking. These sites are the most visited around this time with sports fan checking out the bracket to see if their favorite team is advancing to the next stage. The real question is, can these sites be a prime target for malware and ransomware?
In 2015, we released our first State of Web 2015 Vulnerability Report which revealed that more than 1 in 3 of the top Web domains are risky; 1 in 5 of the most trusted sites are vulnerable. This report focuses on the top 10 websites in the U.S. Sports category. The data was generated by using Menlo Security's technology to instrument how much code is being fetched and executed in the browser by the simple act of visiting popular websites. But why stop at just the code? Where did the code come from? How much of it is there and what systems deliver this content?
- The number of scripts executed on the page (including scripts executed by "background initiated requests")
- Amount of code downloaded to your browser when your browser fetched website content
- The web server headers & version reported from fetched content from the website
Knowing these datapoints should give us insights into which sites are using a lot of scripting, and those that don't. More scripts from more sources equate to a higher risk.
Two key points to summarize from the Top 10 Sports sites in the U.S.. Six of the top 10 sites were serving active code from risky "background sites" marked as Phishing and Other Frauds. Visiting the top 10 Sports sites resulted in the browser loading active code from 152 unique background domains.
Think about that for a second. When you visit the home page of these sites, your browser is executing code from an already compromised "background site" that's either part of a CDN or an Ad-Network. And we wonder why the web is unsafe.
Top 10 sites by scripts executed
The total number of scripts executed, especially when they are fetched and executed from the risky "background sites" significantly increases the risk of visiting a website. Across the top 10 sites a number of important findings were made:
- On average, when visiting a top 10 Sports site in U.S., your browser will execute 245 scripts
- The top website in executed 513 scripts from 55 different background domains
- All top 10 Sports sites executed more than 50 scripts
Top 10 sites by amount of code
There's a fair amount of active code that the browser downloads and executes with various "background initiated requests". While on one hand, this greatly facilitates tracking, CDNs and ad-networks, this also means that the top-10 site owner has little to no control over the security posture of these "background sites". We've seen a number of breaches in the recent past where a background site was breached and a visit to one of the ranked site resulted in a malware drop.
Across the top sites, a number of key findings were made:
- On average, when visiting a top 10 US Sports Website, your browser will download 4.48MB of code
- The top site was downloading 7.99MB of code
- All 10 sites executed more than 1MB of code
Vulnerable servers powering the Top 10 Sports Sites
The final part of the report fingerprints the backend code for the top 10 sports sites to see what version of software they are running. This is important because the older the software, the higher the risk. The software versions were then fingerprinted against the National Vulnerability Database so we can better understand the security posture and the risks of these sites. A site in the top-10 was marked as vulnerable if either itself or one of the "background sites" it uses were running vulnerable software.
The key findings were:
- All 10 sites were running vulnerable versions of web-software code at the time of testing
- Microsoft-IIS/8.5 was the most prominent vulnerable version reported with known software vulnerabilities
Incidentally Apache/2.2.15 and PHP/5.3.3 were released in 2010 and are known to have a number of vulnerabilities.
What can we learn from this quick snapshot of the most popular 10 websites in the US Sports category? There are many legitimate reasons why developers use scripts to enhance the user experience of a website today, but similarly attackers can use scripting capabilities for iframe redirects and malvertising links to compromise browsers.
Security professionals have been using browser plugins like NoScript for years, however it makes the Web surfing experience much harder and for many non-technical users, it's not really an option to deploy, meaning the vast majority of users cannot make an educated choice on script permissions.
The main takeaways show that going to any popular website is now associated with some risk, as we see play out in numerous media stories every week. The recent Pagefair hack should be a warning to everyone that trusted websites take content from many entities of varying security postures. If you knew an employee going to a top 10 Sports website in the U.S. exposes their browser to more than 513 scripts from domains already marked as malicious, would it make you think twice?