It's getting harder to know who to trust on the web, according to online safety advocates StopBadware.
The group has released its 2007 Trends in Badware report, saying the bad guys are finding new ways to place their malicious software on our computers - often by compromising websites that we trust.
With the help of one of its sponsor companies, Google, StopBadware maintains a list of 200,000 websites that are known to be associated with malicious downloads. According to Max Weinstein, a project manager with StopBadware, more than half of these sites have been hacked and don't even realise it.
In fact, this move to delivering malicious software on legitimate sites has been a disturbing trend over the past year, he said.
"It used to be that the advice to the end-user was 'keep your software up to date and then don't go to bad websites,'" he said. "You still don't want to go to those sites, but what we seen now is that you can be on a very legitimate site and have a problem."
Web surfers know that visiting gambling or pornographic sites could harm their computers, but lately attack code can be downloaded from almost anywhere.
In January, for example, the websites of Dolphin Stadium and the Miami Dolphins, hosts to the 2007 Super Bowl US football championship, were found to have been hacked and were serving up malicious software, just days before the Super Bowl. And this summer, websites that had been linked on the popular Boing Boing blog were compromised, a tactic called 'linkjacking.'
Weinstein says criminals don't necessarily have to hack a site to have it serve up malicious software. Part of the problem is in the Web 2.0 world, where sites are built up of many different components pulled from different parts of the web, it's becoming easier to sneak badware onto a legitimate site.
StopBadware has seen this happening with web advertising networks, which can easily be subverted by attackers to serve up maliciously encoded scripts and images, he said. "What we're seeing is a lot of cases where a legitimate website has an ad network, and that ad network itself, or sometimes even a subcontractor of that ad network, contains an ad that is providing badware."
"It's certainly something we are seeing in increasing numbers, probably in the past several months," Weinstein said.
eBay is looking into ways of curbing a similar problem. The online auction giant allows users to put their own images and HTML code on its site, but sometimes this leads to "bad code," said eBay chief information and security officer Dave Cullinane, speaking at an online security symposium in Santa Clara.
The company is looking at including security ratings for users as part of its reputation system to help prevent novice users from accidentally putting malicious or unwanted code on the site. "One of the things we are looking at bundling in is your level of security. As a user goes up, we'll allow you to do more things."
Under the proposed system, eBay power sellers with good security ratings would be given more free rein on the types of features they could add to their stores, Cullinane said.