They inject malicious scripts that pretend to be Analytics code

The Websense team has detected an interesting attack on websites that camouflages the malicious code as if it were the Google Analytics script, in the following screenshot you can see the code they are using:

It is very similar to the legitimate code offered by Google, the differences are UA-XXXXX-X, in the real ones they are a number and for each account there is a different one; and most ingenious the domain google- -analytics that loads the malicious script, in the real ones the domain has only one hyphen. Websense also reports that there are other variants of these dummy domains.

In this way, attackers can avoid any primary analysis made by a webmaster when they discover that their site is infected, since by looking at the source code they could ignore the false code.

The attack is quite dangerous because it redirects users who access infected sites to pages that contain an exploit kit called Blackhole, it has the ability to search for vulnerabilities on Windows, Linux and Mac computers and automatically infect them when one is detected, technique known as drive-by download.

The problem for Internet users is that these attacks -drive by download-can happen anywhere, but protecting yourself is easy by keeping everything updated (browser, add-ons and operating system) and using an updated antivirus. The most cautious can also use some script blocker such as NoScript in Firefox, this week I promise to publish a post about this tool for all those who do not know it.

For the webmasters There are many tips that could be given, I recommend reading the following article in English titled Matt Cutts on Malware where several tips for detecting malware on sites are mentioned.

See also: Searching for models on the internet can be dangerous.