A number of websites are infected and contains iFrame pointing to random domains. The iFrame redirects users to malicious websites, warned by Security researcher Daniel Cidt.
Cyber Criminals inject a php code inside vulnerable websites instead of injecting the iFrame directly on the pages. The php code generates iFrame pointing to random domains.
According to Sucuri blog post, the domains are changing every few hours. It seems like the domain is being generated by changing numbers in the domain name('directsX.ru'). Here, the 'X' is a three digit number starts from 000.
Once this iFrame is generated, it redirects users to another random domains. This domain contains more iFrame pointing to few other domains.
Once the secondary domains are loaded, it redirects the browser back to the directsX.ru domain to distribute the traffic (SutraTDS/Traffic Distributions System).
This Traffic Distribution System (TDS) redirects the user randomly to malicious sites including malware , Pornography sites. When i analyzed one of the site, it redirects me to a Redkit exploit kit page.
