Fake Analytics Leads to Black Hole

Wednesday, February 15, 2012 @ 05:02 PM gHale

Attackers are now using code meant to look like Google Analytics snippets, but instead it sends victims off to a remote site that’s hosting the Black Hole Exploit Kit.

The code used to hide the fake Google Analytics tags appears heavily obfuscated, making analysis quite difficult, said researchers at Websense.

Patch Out for McAfee Vulnerability
Security Tip: Scrap Java
Java Holes Bring Quick Exploits
Black Hole Kit Exploiting Java

The malicious code, which injects into benign pages on legitimate sites, looks just like actual Google Analytics code and appears as though it’s referring to common domains. But there are some tell-tale signs this isn’t the case.

“It is quite convincing at first glance, but remember, usually we put the analytics code at the bottom of the page, instead of at the top, so this is a good hint to Web masters. Another hint is they are using “UA-XXXXX-X,” a placeholder as their “Google Analytics account,” obviously this is not what people usually do. We found other similar domains like google-analytics[dot]su in this attack, and will update once we find more,” said Websense’s Tim Xia.

The end result of the infection routine is that the victim ends up at a site that is hosting the Black Hole Exploit Kit, a vicious piece of software that will try a grab-bag of exploits against the victim’s browser until one works.

Once that’s done, another piece of malware typically clings on to the user’s machine, perhaps a keylogger or banker Trojan designed to relieve the victim of his or her money.

Black Hole is one of several readily available exploit kits that attack crews of all makes and models use to install malware on thousands of machines.

Black Hole, along with other kits, such as Eleonore and Siberia, give attackers a built-in set of exploits that can go after vulnerabilities in browsers.

Last spring, a version of Black Hole uploaded to some file-sharing sites and made available for free. At the time, researchers said they expected Black Hole to be in more attacks going forward, and that prediction has come true.

Leave a Reply

You must be logged in to post a comment.