Threat Activity Trends

Threat Activity Trends | Spam and Fraud Activity Trends | Malicious Website Activity | Analysis of Malicious Web Activity by Attack Toolkits | Analysis of Web-based Spyware and Adware Activity | Analysis of Web Policy Risks from Inappropriate Use | Analysis of Website Categories Exploited to Deliver Malicious Code | Bot-infected Computers | Analysis of Mobile Threats | Data Breaches that Could Lead to Identity Theft

Malicious Website Activity


The circumstances and implications of Web-based attacks vary widely. They may target specific businesses or organizations, or they may be widespread attacks of opportunity that exploit current events, zero-day vulnerabilities, or recently patched and publicized vulnerabilities that some users have yet to protect themselves against. While major attacks may have individual importance and often receive significant attention when they occur, examining overall Web-based attacks provides insight into the threat landscape and how attack patterns may be shifting. Analysis of the underlying trend can provide insight into potential shifts in Web-based attack usage and can assist in determining if attackers are more or less likely to employ Web-based attacks in the future.


This metric assesses changes to the prevalence of Web-based attack activity by tracking the trend in the average number of malicious websites blocked each day by users of Web security services, for websites that have been compromised and contain malicious code. Underlying trends observed in the sample data provide a reasonable representation of overall malicious Web-based activity trends.
This reflects the rate at which websites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity. As detection for Web-based malware increases, the number of new websites blocked decreases and the proportion of new malware begins to rise, but initially on fewer websites.


Figure A.8. Malicious website activity, 2010-2011. Source: Symantec


  • The average number of malicious websites blocked each day rose by 36.0% in 2011 to 4,595, compared with 3,379 in 2010.
  • The peak rate of malicious activity was 9,315 in December 2011, when approximately double the average number of malicious websites was being blocked each day. This increase was related to a rise in the number of malicious IFRAME tags being blocked. Detection for a malicious IFRAME is triggered in HTML files that contain hidden IFRAME elements with JavaScript code that attempts to perform malicious actions on the computer; for example, when visiting a malicious Web page, the code attempts to quietly direct the user to a malicious URL while the current page is loading.
  • In 2011, the number of malicious domains blocked rose to 55,294 compared with 42,926 in 2010, an increase of 28.8%.
  • Further analysis of malicious code activity may be found in Appendix X: Malicious Code Trends - Top Malicious Code Families.