The Websense® ThreatSeeker® Network has discovered a new wave of injection of malicious code disguising itself as Google Analytics, by adopting similar code snippets and malicious domains.
It is quite convincing at first glance, but remember, usually we put the analytics code at the bottom of the page, instead of at the top, so this is a good hint to Web masters. Another hint is that they are using "UA-XXXXX-X", a placeholder as their "Google Analytics account", obviously this is not what people usually do. We found other similar domains like google-analytics[dot]su in this attack, and will update once we find more. The evil ga.js code is as below:
it is highly obfuscated, hard to understand, but after all tricks it finally will redirect to IP address 126.96.36.199 which hosts Black Hole Exploit.
Websense customers are protected from these threats by ACETM, our Advanced Classification Engine.