A new cyberattack is using trusted Google domains to secretly inject malicious scripts into e-commerce websites. This advanced malvertising scheme turns legitimate online stores into phishing platforms without alerting site owners or advertisers.
Hackers are exploiting Google API integrations through JSONP calls. These calls allow them to insert harmful code that silently redirects shoppers to fake payment pages.
Customers believe they are paying trusted merchants, but instead, they give their credit card details to cybercriminals.
A New Level of Malvertising
This method is more advanced than traditional malvertising, which often uses suspicious ads or obvious redirects. Here, users click on real ads, visit real storefronts, and are unaware of the hidden danger.
One major example was the Indian website of Ray-Ban (india.ray-ban.com). Hackers compromised the backend, turning a respected brand into a phishing trap.
Researchers from GeoEdge say the attackers benefit in two ways. They use the reputation of major brands and also take advantage of the brands’ advertising to attract traffic to their scams.
While the number of current cases is small, experts warn the attack is persistent and hard to detect.
Google Notified, but Risk Remains
Google was informed about this issue in November 2024. Still, several infected websites remain online and continue to put users at risk.
How the Attack Works
This scheme relies on JSONP (JSON with Padding), a method once used to get around browser security rules. Many websites allow scripts from Google domains, which attackers use to bypass Content Security Policy (CSP) protections.
In this attack, the browser sends a request with a callback function. The server responds like this:
malicious_function({"result": "data"});This lets the attacker run harmful code inside the user’s browser.
The attack mainly targets e-commerce platforms like Adobe Commerce and Magento. Network traffic studies show multiple cases of scripts using Google domains to deliver hidden JavaScript code.
These scripts then send users to fake payment pages on domains like montina[.]it and premium[.]vn.
Hard to Detect, Easy to Trust
The most dangerous part of this attack is its stealth. It hides inside trusted systems and avoids usual detection tools. As a result, users and even security teams often don’t see the threat until it’s too late.
This case highlights a growing problem in cybersecurity: even trusted platforms can be used to deliver harm if attackers find the right loophole.
