Infected web pages are still the major threat faced by Web site owners and users, with an average of about 9 500 new Web pages infected every day during May. This brings the total of Web pages identified as hosting malicious code during May to 304 000. 

Iframe, which works by injecting malicious code onto legitimate web pages, continues to dominate the chart, accounting for almost two-thirds (65,5%) of all web-based threats in May.
Three newcomers, Redlof, Roor and Soraci, are all appending viruses, infecting, amongst others, HTM, HTML and HTT files.
The appearance of these relatively old viruses argues that many Web administrators are failing to keep their Web sites safe from hackers intent on compromising their pages.
"Attacks spreading on the web are becoming more frequent and more problematic for businesses every month," says Carole Theriault, senior security consultant at Sophos. "Malicious sites don't need to host malware to be dangerous – we are also seeing and blocking access to 600 new phishing pages each day.
"It's no longer enough for businesses simply to filter Web sites based on category – the real nasty attacks are most often found lurking on legitimate Web pages. This is a wake up call for organizations with a Web site: being out of date with patches and running inadequate security has very real risks."
China, responsible for hosting more than 50% of infected Web pages identified by Sophos, has retained its position at the top of the chart. The country's continued dominance is largely down to increased reports of Iframe, which has been widely reported on unprotected Chinese web pages.
Thailand has entered the chart for the first time at number five. Sophos research found that many of the infected Web pages hosted in Thailand are on government Web sites that have been infected by malware.
"The fact that malware is being found on legitimate government Web sites shows again that any organisation can be hit if it is not vigilant," says Theriault. "Web surfers need to be careful too – they are the ones that these sites are targeting: be wary of spam which entices you to click on web links, even if the link looks legitimate."
In May, Sober was the most prevalent email-borne attack, toppling Netsky from its top position and accounting for almost one-third of all threats. Sober's dominance is primarily due to a huge outbreak on 1 May that coincided with May Day across Europe. During this 24-hour period, Sober accounted for nearly 70% of all infected email identified by Sophos.