Skip nav


68 Percent of Malware Now Found on Legitimate Sites

LONDON and SAN MATEO, Calif. —June 5, 2008—In a Security Brief issued today, ScanSafe, the pioneer and leading provider of SaaS (software-as-a-service) Web security, reported that 68 per cent of all Web-based malware it blocked on behalf of its corporate customers in May was found on legitimate sites, up more than 407 per cent compared to May 2007.

The increase is the result of an unprecedented series of attacks that have outfitted hundreds of thousands of legitimate sites with malicious scripts and iframes designed to silently deliver password stealers and backdoors to visitors’ computers.
“The compromise techniques being used now allow hackers to quickly ‘colonize’ thousands of legitimate sites, from big brand name sites like Wal-Mart, to smaller but equally legitimate sites,” says Mary Landesman, senior security researcher at ScanSafe.

The Security brief is based on a comparison of the Web-threat landscape in May 2007—six months before these large scale attacks—with data from May 2008. It is based on the more than 10 billion Web requests ScanSafe scans each month for its corporate customers in more than 60 countries.

Specifically, the company reported a 220 per cent increase in the amount of Web-based malware—viruses, Trojans, password stealers and other malicious code. The fastest growing category of threats is backdoor and password-stealing malware, which increased 855 per cent from May 2007 to May 2008, putting sensitive corporate data at serious risk of theft.

The Web was riddled with compromised sites in May 2008, largely as a result of ongoing SQL injection attacks that began in late October 2007 affecting hundreds of thousands of websites. In parallel, another highly prolific series of attacks have been rendered through the use of stolen FTP credentials. Among legitimate sites compromised in May 2008 were,,,, and

“Over the last year malware authors have moved away from direct attacks—attacks in which they directly interact with victims, via social engineering for example—to indirect attacks accomplished through compromised websites. These indirect attacks not only leverage stealthier techniques, like the insertion of an invisible iframe, but they leverage legitimate, name brand sites that Web surfers implicitly trust. The net result is that you absolutely cannot assume that because you are on a brand name or well known site that it is a safe site. We’ve been saying this for some time but it bears repeating in light of this astronomical increase. Currently, thousands of legitimate sites are being compromised daily,” says Landesman.

For a copy of the ScanSafe STAT Security Brief: A Comparative Look at the State of Web Security, May 2007-May 2008, please visit

About ScanSafe
ScanSafe is the largest global provider of SaaS Web Security, ensuring a safe and productive Internet environment for businesses. ScanSafe solutions keep viruses and spyware off corporate networks and allow businesses to control and secure the use of the Web and instant messaging. As a fully managed service, ScanSafe's solutions require no hardware, upfront capital costs or maintenance and provide unparalleled real-time threat protection. Powered by its proactive, multilayered Outbreak Intelligence TM threat detection technology, ScanSafe scans more than 10 billion Web requests and blocks 100 million threats each month for customers in over 60 countries.

With offices in London and San Mateo, California, ScanSafe is privately owned and financed by Benchmark Capital and Scale Venture Partners. The company received a 2007 CODiE award for Best Software as a Service Solution, the 2008 and 2007 SC Magazine Europe Award for Best Content Security Solution and was named one of Red Herring’s Top 100 Technology companies. For more information, visit


Media Contacts:
Susie Bailey
Office: +44 (0) 20 7959 0648
Mobile: +44 (0) 7875 360 437

In the U.S.
Sheila O’Neill ScanSafe
Office: +1.650.294.3463
Mobile: +1.303.324.7310