YNOT – Adult website operators “have business models based on very questionable practices” like exploitation of surfers’ naiveté, intentional deception, blind links and an “at-any-cost” focus on the bottom line, according to a Vienna-based cyber-security firm’s research.A team at International Secure Systems Lab spent months gathering data about 35,000 free and pay pornographic sites before building two adult websites of their own to test surfer behavior and security awareness. They were disheartened by the results.

For starters, the researchers determined the majority of surfers who routinely visit porn sites do not employ up-to-date security software, leaving them vulnerable to drive-by malware attacks and other intentional and accidental — and potentially disastrous — exposure to cybercriminals. If the criminals don’t operate adult websites themselves, they have mutually beneficial deals with folks who do, the researchers reported.

According to ISSL research fellow Gilbert Wondracek, one of the biggest problems with free porn sites is economic. Because the owners usually operate on a tight profit margin in a cutthroat industry, they “cut corners” when it comes to securing web servers and applications from compromise by outsiders and sometimes — intentionally or otherwise — resort to partnerships with cyber-criminals in order to increase revenues. More than one-third of the free sites Wondracek and his partners studied contained attempts to mislead or misdirect visitors, hijack browsers, or install unwanted software. Thirty percent of free sites included blind links that led to other sites known to harbor major security risks.

Even pay sites resort to blind links, the researchers said: 10.9 percent of the pay sites studied contained links to infected destinations.

“This is problematic, as it not only leaves the user unaware of the link’s destination, but could also potentially be used to mask malicious activities such as cross-site scripting (XSS) or cross-site request forgery (CSRF) attacks,” the researchers noted in their report.

Even more alarming, according to the report: More than 3 percent of all the adult websites studied harbored malware themselves, including software designed to execute remote code, make changes to a user’s system registry or auto-download spyware, viruses and Trojan horses.

The researchers paid three traffic brokers a total of U.S. $161.84 to direct 49,000 visitors to the two websites the constructed specifically to gather information about the kinds of surfers who visit adult websites and whether their computer included protection from common online threats. Almost half of the traffic “had a least one vulnerable [Flash, PDF or Windows] component installed, and more than 5,700 visitors had multiple vulnerable components,” the report noted.

“If we were the bad guys, we could have infected all of them with malware,” Wondracek told PCWorld.com.

Wondracek and teammates Thorsten Holz, Christian Platzer, Engin Kirda and Christopher Kruegel said a very small investment on the part of a few dishonest website operators potentially can compromise thousands of computers.

They also noted about 12 percent of all web pages are pornographic.