According to Dan Hubbard, the senior director of security and research at Websense, a family of obfuscation routines with the umbrella name of "JS/Wonka" has spread wildly in the last few weeks.
"For whatever reason, the number has just skyrocketed since the last of September," said Hubbard. "There are 10,000 unique sites using this exact same method. The strange thing is, they're completely different types of sites."
"The interesting thing here is the sheer climb in volume of sites using these routines," said Hubbard. "It's either a toolkit or coordination between hackers. There's no public toolkit we've found, but there are banks of domain names using JS/Wonka that are registered to similar names."
Some Web advertising and/or adware firms, for instance, have blamed their wide-flung affiliates for secretly installing software, including some programs that verge on spyware, when they're accused by users and anti-spyware vendors for infecting PCs. Such affiliates may want to hide their URLs to make it harder for their partners to check up on their installation practices.
Three out of four of the sites found using JS/Wonka are hosted in the U.S., said Websense, another indication that either a group of scammers is working together, or that a obfuscation toolkit has just been made available, and hasn't had time to spread overseas.