> Enterprise > Security Response > Internet Security Threat Report > View the Report > Threat Activity Trends

Threat Activity Trends

Threat Activity Trends | Spam and Fraud Activity Trends | Malicious Website Activity | Analysis of Malicious Web Activity by Attack Toolkits | Analysis of Web-based Spyware and Adware Activity | Analysis of Web Policy Risks from Inappropriate Use | Analysis of Website Categories Exploited to Deliver Malicious Code | Bot-infected Computers | Analysis of Mobile Threats | Data Breaches that Could Lead to Identity Theft

Malicious Websites by Search Term


This section discusses search terms used to lure potential victims to malicious websites. Broad website categories can be determined by categorizing common search terms that result in malicious websites being visited. This may provide insight into what sort of legitimate websites attackers try to compromise the most. This may also indicate the categories of Web pages and search terms that attackers try to exploit the most when performing black hat search engine optimization (SEO). Black hat SEO is the technique of trying to get a URL ranked higher by a search engine than it would be without interference.


The data for this metric consists of a collection of unique terms used in searches that resulted in malicious websites being visited, and the number of malicious website hits that subsequently occurred. When the use of a search term results in a malicious website being visited, the incident is counted as a malicious website hit. The rank of each unique search term is then determined based on the volume of malicious website hits that have occurred. This metric analyzes the top 100 search terms based on the Latin alphabet and with logical meaning. Note that, while Symantec has categorized terms wherever possible, the “other” category consists of generic terms where no straightforward categorization was logically feasible.


Figure 4. Malicious websites by search term type
Source: Symantec Corporation


Most searches are for specific domain names: Of the volume of the top 100 search terms analyzed, 81 percent of the searches were for specific sites by domain name. This reinforces indications that attackers are attempting to capitalize on legitimate websites to target potential victims. Of this percentage, 5 percent were misspelled domain names, and all of these were in the video streaming category. This indicates that attackers were using typosquatting methods. Typosquatting is when attackers register a domain name that closely resembles a legitimate website (e.g., and then present a mock (and maliciously coded) replica website at that address in the hope that users making the typo do not realize their error. In addition, if they can get the mock site ranked high by search engines, users may think the site is valid and click on the listing without looking too closely at the actual URL.

Attacks play on base emotions: The prominence of adult entertainment search terms in this metric is not surprising given the popularity of online adult entertainment.
  • According to one estimate, 12 percent of all websites are pornographic and over 28,000 people are viewing these sites every second.
  • One reason why attackers target adult websites is that many of these sites act as Web portals that aggregate the content of numerous other sites without any direct association with them. Given this, visitors to such portals may be more accepting of content from unknown or unfamiliar sources.
  • Another reason may be due to the widespread use of multimedia on these sites. Many adult sites use leading browser multimedia applications, which visitors would require in order to view content. (It should be noted that many of the search terms that Symantec categorized in adult entertainment are primarily adult video streaming websites and, thus, were not included in the video streaming category to negate duplicated results).

Attackers are targeting social networks: Social networks are being used to deliver an increasing range of multimedia content. As noted with adult sites, this presents a broader selection of potential vulnerabilities for the attacker to exploit. Moreover, because social network users believe they are among friends, they may be more willing to open links or download unknown files if they trust the source. A successful attack that dupes victims in this manner can then spread further via the web of friendships, thus increasing the likelihood of successful attacks on subsequent victims.

The case of the missing plug-in: One reason for the high ranking of video streaming in this metric is due to a common ploy with video files online. To get victims to download malicious payloads, attackers present pop-ups or other prompts that tell the visitor that he or she requires additional components to view or open certain files. While this ploy is used across many Internet technologies, video codecs are especially exploited in this manner because there is a wide range of different platforms available for viewing video. Users would possibly accept these prompts because of this. These “missing codecs” are often laden with malicious payloads.

Yet more multimedia: As with adult and social networking terms, the percentage of search terms observed in the video streaming category is not surprising considering the current popularity of streaming video websites. By using these sites to initiate attacks, attackers are capitalizing on a very large traffic base of users. As with adult video entertainment, in order to view content, users of general audience video streaming websites must ensure that their browsers are equipped with the necessary plug-ins. Therefore, attackers using toolkits that exploit vulnerabilities in these plug-ins may have an increased chance of success if they launch attacks from these sites.

The importance of caution: The results of this data analysis underscore how Web users should exercise caution, regardless of the websites they visit on a regular basis or those that they may visit on a one-off search for something out of the ordinary. Additionally, Web users should ensure that domain names are correctly spelled when browsing directly to a website or searching for a specific domain.