About one in ten websites is infected with malicious software that could result in a user’s personal information being stolen, according to Google.

Sensitive data such as banking passwords and e-mail addresses could unwittingly be handed over to criminals as a result of visiting infected pages, which work by exploiting a vulnerability in the user’s internet browser, a study by the search company suggests.

Google said that it had analysed approximately 4.5 million websites over a 12 month period and found that 450,000 had caused a test computer to make a ‘drive-by download’, a common example of which was a ‘keylogger’, which captures every keystroke a user makes.

The report, entitled ‘The Ghost in the Browser,’ concluded: “Unfortunately average computer users have no means to protect themselves from this threat.”

"Their browser can be compromised just by visiting a page and become the vehicle for installing multitudes of malware on their systems.”

Sites with advertising were among those most commonly exploited, the study, said, because the ads were often displayed via a third party network and not under the control of the website owner.

Other sites that were vulnerable included those with user-generated content, such as forums or blogs, and those that make use of ‘widgets’ – for instance traffic counters – which could be configured by exploit a visitor’s computer.

In many instances the website owner was unaware their site had been infiltrated, experts said.

“We expect that the majority of malware is now spreading via web-based infection, because the computer of an average user provides a rich environment for adversaries to mine,” Niels Provos, who led the study, wrote.

“Banking transactions and credit card numbers, for instance, are much more likely to be found on a user’s machine than on a compromised server.”

The work of anti-virus software providers was made difficult by the fact that malware evolved rapidly, one malicious code changing over 1,100 times over the 12 month period of the study, the authors said.

But Graham Cluley, an expert at the computer security firm Sophos, said that there was “a fair amount” users could do to protect themselves by ensuring their virus protection software was up to date and downloading patches from Microsoft’s website

“Anti-virus vendors now also sell plug-ins, which screen pages as you try to access them, detecting relevant threats,” Mr Cluley said, adding that according to research by his company, 70 per cent of web-based infections were found on ‘legitimate’ websites.

Google said it was now labelling sites that had been identified as malicious as “potentially harmful” when they were returned as search results.

Explore Tech & Web

• Personal Tech

• The Web

• Gadgets & Gaming