Image caption Intense competition means porn sites compete for visitors

Visitors to porn sites are at serious risk of being exploited by cyber criminals, a study has suggested.

It found that many sites harboured malware or used "shady" practices to squeeze money out of their visitors.

By creating their own porn sites researchers found that many consumers were vulnerable to known bugs and loopholes.

Competition among porn sites makes the online adult industry ripe for abuse by hi-tech criminals.

"They have almost inadvertently created a whole ecosystem that's easy to abuse for cyber crime on a large scale," said Dr Gilbert Wondracek, a computer security expert from the International Secure System Lab, which led the study.

Hidden danger

Dr Wondracek said the team embarked on the study to find out the truth of the widely held view that porn sites are dangerous to visit.

"There are studies looking at the profitability and economics of the industry but we are the first to come at it from a security and more technical point of view," he said.

Statistics suggest that approximately 12% of all websites offer pornography of one sort or another and that 70% of men under 24 browse these sites.

As a first step the researchers trawled pornographic sites to classify what they found and how the industry was structured.

For the average user it might be hard to tell an honest porn site from a dishonest porn site Dr Gilbert Wondracek, International Secure System Lab

The big distinction was between free sites and those that charge for access. Typically pay sites produce content they give to free sites to drum up traffic.

More than 90% of the 35,000 pornographic domains analysed in the study were free sites.

The researchers analysed the 269,000 websites hosted on the 35,000 domains to see which hosted malicious software. About 3.23% of these sites were booby-trapped with adware, spyware and viruses.

Many others used "shady" practices to keep visitors onsite. These included javascript catchers that made it hard for people to leave a page.

Others use scripts that re-direct visitors so when they click on a link they do not see the video or image they were expecting but are passed to an affiliate site.

The vast majority of sites engage in this trading of traffic or clicks, said Dr Wondracek.

"Visitors are being abused as click bots," he said.

As most sites were free, the only resource they could exploit as a revenue source was this traffic.

"It's cut-throat competition," said Dr Wondracek. "Everybody tries to get as much traffic as possible."

Finding victims

Traffic is used in many different ways. Popular sites sell it to those looking for an audience, some is used to direct visitors to affiliates who provide content and sometimes it is used to boost rankings in search engine indexes.

It could also be a great way for hi-tech criminals to get a ready source of victims, said Dr Wondracek.

To test this idea the researchers created two adult sites of their own, populated them with free content from porn producers and spent $160 (£108) to get traffic piped to these sites.

Analysis of the 49,000 visitors sent to their sample sites showed that 20,000 were using a computer and browser combination that was vulnerable to at least one known exploit.

"As an attacker you want to make your life easier," said Dr Wondracek. "If you can have these 20,000 people come to a place instantly, why not?"

With many porn sites appearing in the top 100 most popular sites on the web this could mean that huge numbers of people are caught out when they browse for adult content.

While relatively few porn sites were infecting visitors, it is difficult to spot good from bad, he said.

"For the average user it might be hard to tell an honest porn site from a dishonest porn site until you click on something," he said.

Dr Wondracek recommended that anyone visiting porn sites keep their security software up to date and use the "safe browsing" modes found in many browsing programs.

The researchers presented their results at the Workshop on the Economics of Information Security held at Harvard from 7-8 June.