20,000 Legitimate Websites Compromised Through New Injection Attack

Websense recently made this announcement:

“Websense Security Labs(TM) Threatseeker(TM) Network has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites.

This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.

The exploit site is laden with vaious attacks. After successful exploitation, a malicious file is run on the exploited computer. The executed malware file has a very low AV detection rate. ”

——-

These methods cyber criminals are now using are very effective. When they can inject code into a legitimate, popular site that is accessed literally millions of times each day, that is how their malware spreads so quickly. Vulnerable systems (which are not short in supply) are then taken over by the cyber criminals and the user sitting at the computer would likely never know the difference.