Injection code masquerades as Google Analytics
The Websense® ThreatSeeker® Network has discovered a new wave of injection of malicious code disguising itself as Google Analytics, by adopting similar code snippets and malicious domains.
It is quite convincing at first glance, but remember, usually we put the analytics code at the bottom of the page, instead of at the top, so this is a good hint to Web masters. Another hint is that they are using "UA-XXXXX-X", a placeholder as their "Google Analytics account", obviously this is not what people usually do. We found other similar domains like google-analytics[dot]su in this attack, and will update once we find more. The evil ga.js code is as below:
it is highly obfuscated, hard to understand, but after all tricks it finally will redirect to IP address 18.104.22.168 which hostsBlack Hole Exploit.
Websense customers are protected from these threats by ACE, our Advanced Classification Engine.