Infections inserted into valid websites are often an iframe/script tag itself, sometimes the simple encryption functions are used and sometimes very complex algorithms are used to hide the redirection process. But all these methods have the same objective – to redirect users to malware distribution websites hosting various exploit packs. There are also infections that are trying to imitate well-known and often used services – mostly Google related services – with Google Analytics being number one. It started with small changes in the urls used by these services, for example “analytics” -> “analitics” and so on. In this article I will describe two new infections that imitate well-known Google service in more complex manner, which at first look seem to be legitimate.