Detected an external script,an iframe or a redirect whose URL includes patterns of known malicious Traffic Direction Services (TDS) such as /in.cgi, /tds/go.php, etc.
Hackers usually point injected scripts and iframes to intermediarry Traffic Direction Services (Servers) instead of the real sites that serve the malicious payload. This scheme adds flexibility to the attack. This additional layer may detect OS, browser, referer, country, IP and other features of visitors and redirect each category to the corresponding landing pages that would target the exact type of visitors. TDS' usually work as aggregators, buying traffic from hackers who compromise websites and selling it to various criminal groups who are interested in particular type of traffic.
Example of a server-side redirect to a TDS URL (HTTP header):
Example of an iframe whose URL points to a TDS:
<iframe src="hxxp://pokosa[.]com/tds/go.php?sid=1" width="0" height="0" frameborder="0">
Affecting: Any web site (no specific target).