Threat Activity Trends

Threat Activity Trends | Spam and Fraud Activity Trends | Malicious Website Activity | Analysis of Malicious Web Activity by Attack Toolkits | Analysis of Web-based Spyware and Adware Activity | Analysis of Web Policy Risks from Inappropriate Use | Analysis of Website Categories Exploited to Deliver Malicious Code | Bot-infected Computers | Analysis of Mobile Threats | Data Breaches that Could Lead to Identity Theft

Analysis of Website Categories Exploited to Deliver Malicious Code


As organizations seek to implement appropriate levels of control in order to minimize risk levels from uncontrolled Web access, it is important to understand the level of threat posed by certain classifications of websites and categories in order to provide better understanding of the types of legitimate websites that may be more susceptible to being compromised and potentially expose users to greater levels of risk.


This metric assesses the classification of malicious Web-sites blocked by users of Norton Safe Web4 technology. Data is collected anonymously from over 50 million computers worldwide, where customers voluntarily contribute to this technology, including Norton Community Watch. Norton Safe Web is processing more than 2 billion real-time rating requests each day, and monitoring over 12 million daily software-downloads. Reputation ratings are being tracked for more than 25 million Web sites.
This metric provides an indication of the levels of infection of legitimate Web sites that have been compromised or abused for malicious purposes. The malicious URLs identified by the Safe Web technology were classified by category using the Symantec Rulespace5 technology. RuleSpace proactively categorizes Web sites into more than 80 categories in 17 languages.
Figure A.13. Malicious Web activity: Categories that delivered malicious code, 2011. Source: Symantec
Figure A.14. Malicious Web activity: Infected Web sites by category, 2011. Source: Symantec
Figure A.15. Malicious Web activity: Malicious code by number of infections per site, 2011. Source: Symantec
Figure A.16. Malicious Web activity: Fake anti-virus by category, 2011. Source: Symantec
Figure A.17. Malicious Web activity: Browser exploits by category, 2011. Source: Symantec
Figure A.18. Malicious Web activity: Social networking attacks by category, 2011. Source: Symantec


  • Approximately 61% of Web sites used to distribute malware were identified as legitimate, compromised Web sites. This figure excludes URLs that contained just an IP address and did not include general domain parking and pay-per-click Web sites.
  • 19.8% of malicious Web site activity on legitimate, compromised domains was classified in the Blogs and Web Communications category.
  • Interestingly, pornographic Web sites were not exploited much overall, accounting for 2.4% of all infected Web sites; however, infected pornographic Web sites were found to host a greater number of threats than other categories (except for Religion/Ideologies and Hosting/Personal Hosted Sites – see below). Ranked in third position in figure A16, approximately 25 threats were identified on each infected pornographic Web site, with 44% of these threats being identified as Trojans.
  • 1 in 67 web sites classified as Blogs/Web Communications were found to be compromised with potentially harmful malicious content, compared with 1 in 164 for Education/Reference.
  • Web sites classified as Religion/Ideologies were found to host the greatest number of threats per site than other categories, with an average of 115 threats per Web sites, the majority of which related to Fake or Rogue Antivirus software.
  • Analysis of Web sites that were used to deliver drive-by Fake Antivirus attacks revealed that 82% of threats found on compromised Religion/Ideologies Web sites were related to Fake Antivirus software. 26.4% of Fake Antivirus attacks were found on compromised Religion/Ideologies Web sites.
  • Analysis of Web sites that were used to deliver attacks using browser exploits revealed that 66.5% of threats found on compromised Business / Economy Web sites were related to browser exploits. 23.3% of browser exploit attacks were found on compromised Business / Economy Web sites.
  • 53% of attacks used on social networking Web sites were related to malware hosted on compromised Blogs / Web Communications Web sites. This is where a URL hyperlink for a compromised Web site is shared on a social network. Compromised Hosting/ Personal hosted sites similarly accounted for 44% of social networking attacks.
4For more details about Norton Safe Web, please visit

5For more details about Symantec Rulespace, please visit