About 90% of web attacks take place through legitimate, compromised websites, up from 80% in 2009, according to Symantec Hosted Services (SHS).
In theory almost any web site is capable of hosting malware or forwarding to a site that does, said Dan Bleaken, senior malware data analyst, SHS.
One compromised website, visited by an unsuspecting user, may be all that is required to breach the defences of a business, he said.
This could cause disruption, loss, or damage to reputation, said Bleaken, particularly if sensitive systems are breached, the malware is spread within the company networks, or valuable information is stolen.
A classic attack that uses multiple legitimate websites, could start with an online search for any topic of interest, he said.
A link in the search results could lead, for example, to what appears to be a YouTube webpage, which is in fact a fake on a legitimate website that has been compromised.
When the play button is clicked, a window pops up asking the user to 'install media codec'.
If the user clicks 'OK', an executable, malicious file is downloaded from yet another legitimate, compromised website .
A window pops up prompting the user to run the executable, which then connects to a botnet, causing another popup window to appear.
The user is then informed that infected files have been detected and invited to click a button to remove the files.
This button links to a payment page to trick users into making payments to criminals for bogus software purporting to fix the problem.
In this example, attackers used these sites to store executable files under various directories, either created when they compromised the site or already used by the site for some other purpose, said Bleaken.
Legitimate sites affected in this way may be unaware for days, even weeks that harmful malware is being downloaded from their site, he said.