We are seeing many sites today compromised with the Blackmuscats conditional redirection. This malware causes anyone visiting the hacked site to be redirected to a Fake AV (AntiVirus). Why Blackmuscats? All the compromised sites have .htaccess redirections pointing to files ending in “blackmuscats?5″.
So far we have detected more than 8,000 sites with this type of redirection and the number is growing (last night we had only found a few hundred).
Note: this is a conditional redirection, so you are only sent to the malware site if you are coming from a search engine, not if you visit the site directly.
Here are some of the domains being used as part of this malware campaign: