Initially, they forgot to include a tag before the actual malicious code, so it was indexed by Google and, therefore, searchable. The initial number of compromised domains was around 22,400, with a total of 536,000+ infected pages.
Unfortunately, the attackers remedied their mistake and the injected script is not visible to Google anymore, so the current number of affected pages is unknown.
What is known is that the script takes the victims through a number of redirection sites and lands them on a page where a drive-by download script is served by a modified version of the BlackHole exploit pack.
The exploit pack takes advantage of vulnerabilities in the Windows OS, Java, Adobe Reader and Flash Player to install a fake AV solution on the victims' computer. The malware is immediately executed and begins scaring the users:
The fake solution changes its name depending on the OS it encounters on the targeted computer. It is "XP Security 2012" under Windows XP, "Vista Antivirus 2012" under Windows Vista, and "Win 7 Antivirus 2012" under Windows 7.
According to the researchers, the redirecting domains are hosted in Moldova, and the exploit servers in the US. As to how legitimate sites get injected with the malicious iFrame, they say it's mostly by using stolen FTP credentials.
Unfortunately, the malware served has a very low detection rate - 11.6 percent on Virus Total - so the best thing to do to defend oneself from this type of threat is to keep all your software up-to-date in order to thwart the exploit kit.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.