- Attackers use real Google URLs to sneak malware past antivirus and into your browser undetected
- This malware is only activated during checkout, making it a quiet threat to online payments
- The script opens a WebSocket connection for live control, completely invisible to the average user
A new browser-based malware campaign has emerged, showing how attackers are now utilizing trusted domains such as Google.com to bypass traditional antivirus defense.
A report from security researchers on c/side, this method is subtle, conditionally triggered and difficult for both users and conventional security software to detect.
It seems to come from a legitimate OAUTH-related URL, but hidden a malicious payload with full access to the user’s browser session.
Malware hidden in sight
The attack begins with a script embedded in a compromised Magento-based e-commerce website that refers to a seemingly harmless Google Oauth Logout-Url: https://accounts.google.com/o/oauth2/revoke.
However, this URL includes a manipulated callback parameter that decodes and runs a veiled JavaScript -new load using eval (atob (…)).
The use of Google’s domain is central to the deceived – because the manuscript is loaded from a trusted source, most content security policies (CSPs) and DNS filters allow it without question.
This script is activated only under specific conditions. If the browser appears automated or the URL includes the word “checkout”, it silently opens a WebSocket connection to a malicious server. This means that it can tailor malicious behavior for user actions.
Any payload sent through this channel is base64-coded, decoded and performed dynamically using JavaScript’s functional engineer.
The striker can externally run code in the browser in real time with this setup.
One of the primary factors that affects the effectiveness of this attack is its ability to avoid many of the best antivirus programs currently on the market.
The logic of the script is highly veiled and is activated only under certain conditions, making it unlikely to be detected by even the best Android antivirus and static malware scanners.
They will not inspect, flag or block javascript payloads delivered through seemingly legitimate OAuth streams.
DNS-based filters or firewall rules also offer limited protection as the initial request is for Google’s legitimate domain.
In the business environment, even some of the best final point protection tools can fight to discover this activity if they are very dependent on domains reputation or fail to inspect dynamic script performance in browsers.
While advanced users and cyber security teams may use content inspection project or behavioral analysis tools to identify deviations like these, average users are still vulnerable.
Limiting third -party scripts, separating browser sessions used for financial transactions, and remaining vigilant over unexpected place behavior could all help reduce the risk in the short term.
