Our ThreatSeeker® Network is constantly on the lookout to protect our customers from malicious attacks. Recently it has detected a new injection attack which leads to an obscure Web attack kit. The injection has three phases which will be covered in this blog post. Websense customers are protected from this attack by ACE, our Advanced Classification Engine.
The first phase of the attack is a typical vector for exploit kits to drive traffic to their sites: script injections. Script HTML code is put on legitimate Web sites meant to drive traffic to the attack kits without the victim's knowledge. In this case, legitimate sites are injected with malicious JavaScript.
In the second phase, this script injection then pulls obfuscated content from another site. The obfuscated content creates an iframe that is used to pull content from the exploit kit site. In the second phase, this script injection then pulls obfuscated content from another site. The obfuscated content creates an iframe that is used to pull content from the exploit kit site.
