Malicious scripts masquerade as Google Analytics
Researchers see this code in HTML source so often that it almost never gets a second glance – until now. zveloLABS™ researchers have seen several compromised sites recently using Google Analytics to mask malicious scripts, as in the example below.
Decoded, this turns into a script tag that looks like this:
Note the use of the “sr?” tag for the Google Analytics URL, with the actual “src” tag pointing to the malicious script at 18.104.22.168. Security researchers out there, be sure to take a second look at that Google Analytics code next time you’re looking at an infected site.