The vast majority of sites that push malware on their visitors are legitimate online services that have been hacked as opposed to those hosted by attackers for the purposes of distributing malicious software, Google security researchers said Tuesday.

The data, included for the first time as part of the safe browsing section of Google's regular transparency report, further challenges the myth that malware attacks happen only on disreputable sites, such as those that peddle porn, illicit software ("warez"), and similar content. For instance, on June 9 only 3,891 of the sites Google blocked as part of its Safe Browsing program were dedicated malware sites, while the remaining 39,247 sites that were filtered offered legitimate services that had been compromised.

In all, Google blocks about 10,000 sites per day as part of the program, which is designed to help people using Firefox, Chrome, and other participating browsers to steer clear of phishing scams and drive-by malware attacks. The program is also designed to inform webmasters of infections hitting their site and to take steps to fix the problems. In all, the Safe Browsing program helps protect about 1 billion people per day.

The new data helps flesh out anecdotal evidence that for years has suggested that many of the sites used to infect end-user computers are run by mom-and-pop webmasters, and in some cases large companies. The operator of a software developer website that compromised computers belonging to Apple, Facebook, and other companies, for instance, had no idea it had been booby-trapped by attackers. In the past few months, tens of thousands of sites—including those operated by The Los Angeles Times, Seagate, and other reputable companies—have come under the spell of an exploitation toolkit known as Darkleech.

The addition of malware and phishing data to the transparency report has other useful intelligence for security researchers, including a breakdown of the ISP networks most responsible for distributing malware.