With the new updates to Blackhole, users are introduced with some kind of loading, waiting, or connecting to server message before they get redirected to the compromised website.
After the redirect, a script that is contained on the web server checks the user agent string and identifies the browser. If the web browser is detected as Internet Explorer or Firefox, then Blackhole carries out its normal payload, trying to exploit any number of Reader, Java, or Internet Explorer vulnerabilities.
However, whenever a user is running Chrome, a second redirect occurs, directing that user to fake Chrome update installer that they must agree to download.
Shukor, a security researcher, claims this method of infecting users put in place by the Blackhole exploit coders is because of Chrome’s method of rendering PDF files in its non-Adobe PDF reader and a feature that requires user permission before running any kind of Java applets.