Alert to Web Security Researchers: Malicious scripts masquerade as Google Analytics

eSoft's Threat prevention team has detected attacks that are masked to look like standard Google Analytics code. Google Analytics issues snippets of javascript code that dynamically adds a script tag for a page. This tag then loads the Google Analytics code for logging visists to the site.

Researchers see this code in HTML source so often that it almost never gets a second glance - until now. eSoft researchers have seen several compromised sites recently using Google Analytics to mask malicious scripts, as in the example below.

Decoded, this turns into a script tag that looks like this:

Note the use of the "sr?" tag for the Google Analytics URL, with the actual "src" tag pointing to the malicious script at 91.212.65.148. Security researchers out there, be sure to take a second look at that Google Analytics code next time you're looking at an infected site.