Interesting research by Wayne at Armorize on an on-going campaign that is being dubbed as a 'Mass Meshing Injection' attack. When a legitimate website is compromised/infected, typically through an SQL Injection, it contains a "redirector" script (javascript) that points to a not-so-legitimate site that leads the user to the exploit site. It looks like this: Mass SQL Injection: Compromised Legitimate Site -> Redirector Site -> Exploit Site
In the case of Mass Meshing Injection, the redirector site is replaced with another legitimate site that has been compromised. Mass Meshing Injection: Compromised Legitimate Site -> Compromised Legitimate Site -> Exploit Site
In the case of Mass SQL Injections, blacklisting the redirector sites was sufficient. This new method makes that more difficult:
And so the end result is, [in]side the infected webpages, there is no more statically injected "malicious redirectors" that security vendors can detect. Every redirector is itself an infected domain, which means blacklisting becomes more difficult and prune to false alerts.
Wayne goes on to highlight the porous detection for the malicious sample (3 out of 42 antivirus vendors), which seems to be changing. The cat and mouse game continues.