Web site owners should accept more responsibility for securing their sites against attack, as Sophos has revealed today that it identified one new infected web page every four and a half seconds during 2008.

The security vendor's annual Security Threat Report found that many sources of infection are caused by legitimate sites being hacked, often via the increasingly popular SQL injection attack in which malicious code is inserted into the database running a site.

Better patching and hardened web code will remove some of the risks, argued Sophos senior technology consultant Graham Cluley.

"Nowadays if you're running a web site of any size you're effectively a software publisher, because you're putting up things, perhaps in PHP, which may have vulnerabilities in them," he said.

"You must ensure that you take responsibility. You have to think differently if you're in e-commerce now."

Sophos also reported a five-fold increase in malicious email attachments during 2008, and predicted that hackers would increasingly attach " booby-trapped" versions of non-executable files like PDFs and Word documents, because users are more likely to open them.

Sophos also "named and shamed" the US for being the number-one host of malware, at 37 per cent, and being home to the largest number of spam-sending PCs.

"When the internet community gets together [as with McColo] things seem to get better for all of us," he said. "But the main problem is the home user population [in the US] is poorly protected, so we need better education of home users and businesses."