Researchers see this code in HTML source so often that it almost never gets a second glance – until now. zveloLABS™ researchers have seen several compromised sites recently using Google Analytics to mask malicious scripts, as in the example below.
Decoded, this turns into a script tag that looks like this:
Note the use of the “sr?” tag for the Google Analytics URL, with the actual “src” tag pointing to the malicious script at 220.127.116.11. Security researchers out there, be sure to take a second look at that Google Analytics code next time you’re looking at an infected site.
Making the Internet Safer and More Secure. zvelo provides industry-leading cyber threat intelligence and URL classification data services. zvelo’s proprietary AI-based threat detection and categorization technologies, combines curated domains, threat and other data feeds, with the clickstream traffic from its global partner network of 1 billion users and endpoints to provide unmatched visibility, coverage, reach and accuracy. zvelo powers applications and solutions for the world's leading providers of web filtering, endpoint detection and response (EDR), extended detection and response (XDR), Secure Access Service Edge (SASE), brand safety and contextual targeting, cyber threat intelligence platforms, threat analysis, and more.