Researchers from web security vendor Armorize have detected a new mass injection attack that affected over 22,000 websites so far and directs users to drive-by download exploits.The researchers were able to determine the number of affected domains because the attackers originally forgot a script tag, rendering their code inactive.
This meant that search engine crawlers were able to index the code as regular text and make it searchable, allowing Armorize to find it on over 536,000 unique pages.
The attackers have since fixed their injection and it's fair to assume that at least the 22,000 websites were reinfected with the proper code.
When accessing a page compromised by this attack, visitors are redirected to a website hosting an installation of the BlackHole exploit pack.
BlackHole executes exploits that target vulnerabilities in outdated versions of Java, Adobe Reader, Flash Player and Windows itself.
This type of attacks are called drive-by downloads and are generally completely transparent to victims. If they are successful, malware is download and installed on the targeted computers.
According to Armorize, in this case that malware is a fake antivirus application that uses the names "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7.
The researchers believe the attackers are using FTP credentials stolen from infected computers in order to compromise websites and inject code into their pages.
The antivirus detection rate for the exploits is pretty low at the moment, with only 5 out of 43 engines on VirusTotal picking them up, but this is a regular occurrence with BlackHole which constantly re-encrypts the exploits to make them undetectable.
Users are advised to keep the software installed on their computers up to date and to use an antivirus program with advanced layers of protection like behavioral detection which can pick up generic attacks.