Looks can be deceiving: Many of the supposedly safest neighborhoods of the web are in fact risky places to visit.

Menlo Security’s third annual State of the Web report has found that 42% of the top 100,000 sites on the web, as ranked by Alexa, either are using software that leaves them vulnerable to attack or have already been compromised in some way.

Menlo deems a site risky if any one of three criteria is met: The site, either the homepage or associated background sites, is running vulnerable software; it has been used to distribute malware or launch attacks; or the site has suffered a security breach in the past 12 months.

One rarely discussed problem is that the average website connects to 25 background sites for content, such as video clips and online ads. Most enterprise security administrators don't have tools in place to monitor these connections, leaving them vulnerable to backdoor attacks.

Further, efforts to sort sites into "good" and "bad" simply by using categories are largely ineffectual. The business and economy category, for example, had more known bad sites (39% were found to be risky) and sites that had been used to launch attacks or distribute malicious code than did the gambling category – a counterintuitive finding at best.

Similarly, 49% of news and media sites met Menlo's criteria as "risky,” as did 38% of shopping sites.

Phishing and typosquatting also regularly occurs on sites in widely-trusted categories.

"This report confirms what most CISOs already know: that a false sense of security is a dangerous thing when using the web," said Amir Ben-Efraim, CEO of Menlo Security. "Despite website operators' best efforts, cybercriminals can now exploit widespread vulnerabilities to compromise even the most trusted brands on the web."

Email hackers meanwhile are using trusted hosting services to set up phishing sites, giving them safe-looking URLs. In 2017, Menlo discovered 80,000 phishing sites over the course of the year; of these, 4,600, were using legitimate hosting services.

“It is far easier to set up a subdomain on a legitimate hosting service than use other alternatives – such such as trying to hack a popular, well-defended site or to set up a brand-new domain and use it until it is blocked by web security firms,” Menlo said in the report. “Legitimate domains are often whitelisted by companies and other organizations out of a false sense of security, giving cover to phishing sites. Also, hosting services typically allow customers to set up multiple subdomains. For example, researchers found 15 phishing sites hosted on the world’s 10 most popular domains.”