A new mass injection attack has hit over 22,000 websites so far and directs users to drive-by download exploits.
The number of affected domains was available because the attackers originally forgot a script tag, rendering their code inactive, said researchers from web security vendor Armorize. That meant search engine crawlers were able to index the code as regular text and make it searchable, allowing researchers to find it on over 536,000 unique pages.
The attackers have since fixed their injection and at least the 22,000 websites suffered a reinfection of the code.
When accessing a page compromised by this attack, visitors end up redirected to a website hosting an installation of the BlackHole exploit pack.
BlackHole executes exploits that target vulnerabilities in outdated versions of Java, Adobe Reader, Flash Player and Windows.
These types of attacks are drive-by downloads and are generally completely transparent to victims. If they are successful, malware downloads and then installs on the targeted computers.
In this case the malware is a fake antivirus application that uses the names “XP Security 2012” under Windows XP, “Vista Antivirus 2012” under Windows Vista, and “Win 7 Antivirus 2012” under Windows 7, Armorize researchers said.
The attackers are using FTP credentials stolen from infected computers in order to compromise websites and inject code into their pages, the researchers said.
The antivirus detection rate for the exploits is pretty low at the moment, with only 5 out of 43 engines on VirusTotal picking them up, but this is a regular occurrence with BlackHole which constantly re-encrypts the exploits to make them undetectable.
Advice to users: Keep the software installed on their computers up to date and to use an antivirus program with advanced layers of protection like behavioral detection which can pick up generic attacks.