- Attackers use real Google URLs to sneak malware past antivirus and into your browser undetected
- This malware only activates during checkout, making it a silent threat to online payments
- The script opens a WebSocket connection for live control, completely invisible to the average user
A new browser-based malware campaign has surfaced, demonstrating how attackers are now exploiting trusted domains like Google.com to bypass traditional antivirus defenses.
A report from security researchers at c/side, this method is subtle, conditionally triggered, and difficult for both users and conventional security software to detect.
It appears to originate from a legitimate OAuth-related URL, but covertly executes a malicious payload with full access to the user’s browser session.
Malware hidden in plain sight
The attack begins with a script embedded in a compromised Magento-based ecommerce site which references a seemingly harmless Google OAuth logout URL: https://accounts.google.com/o/oauth2/revoke.
However, this URL includes a manipulated callback parameter, which decodes and runs an obfuscated JavaScript payload using eval(atob(…)).
The use of Google’s domain is central to the deception – because the script loads from a trusted source, most content security policies (CSPs) and DNS filters allow it through without question.
This script only activates under specific conditions. If the browser appears automated or the URL includes the word “checkout,” it silently opens a WebSocket connection to a malicious server. This means it can tailor malicious behavior to user actions.
Any payload sent through this channel is base64-encoded, decoded, and executed dynamically using JavaScript’s Function constructor.
The attacker can remotely run code in the browser in real time with this setup.
One of the primary factors influencing this attack’s efficacy is its ability to evade many of the best antivirus programs currently on the market.
The script’s logic is heavily obfuscated and only activates under certain conditions, making it unlikely to be detected by even the best Android antivirus apps and static malware scanners.
They will not inspect, flag, or block JavaScript payloads delivered through seemingly legitimate OAuth flows.
DNS-based filters or firewall rules also offer limited protection, since the initial request is to Google’s legitimate domain.
In the enterprise environment, even some of the best endpoint protection tools may struggle to detect this activity if they rely heavily on domain reputation or fail to inspect dynamic script execution within browsers.
While advanced users and cybersecurity teams may use content inspection proxies or behavioral analysis tools to identify anomalies like these, average users are still vulnerable.
Limiting third-party scripts, separating browser sessions used for financial transactions, and remaining vigilant about unexpected site behaviors could all help reduce risk in the short term.
