Hackers Leveraging Trusted Google Domains to Deploy Malicious Scripts

A new wave of malvertising attacks is exploiting integrations with Google APIs to inject malicious scripts into legitimate e-commerce websites, transforming trusted online storefronts into covert phishing traps.

Security researchers have uncovered sophisticated schemes where attackers hijack the credibility of established brands and leverage their marketing investments to lure unsuspecting shoppers.

Unlike conventional malvertising methods that rely on dubious ads or suspicious redirects, these operations use the very trust users place in well-known domains to stay undetected.

Exploiting JSONP Endpoints to Bypass Web Security

At the heart of the attack is the abuse of JSONP (JSON with Padding), a legacy technique that enables cross-domain data retrieval.

JSONP works by appending a callback parameter to an API request, prompting the server to respond with a script that calls the provided callback and passes data as an argument.

This mechanism, once commonly used to circumvent browser same-origin policies, is now being leveraged by threat actors to deliver malicious JavaScript payloads directly from trusted sources.

Researchers from Source Defense identified that several high-profile Google APIsincluding translate.googleapis.com, accounts.google.com, and www.youtube.com have been exploited as part of the attack chain.

Since many sites explicitly allow scripts from Google domains in their Content Security Policy (CSP), these malicious JSONP payloads bypass traditional security defenses.

Even the most stringent CSP cannot prevent these scripts from being executed, which leaves many sites vulnerable to silent compromise.

E-Commerce Platforms

One of the most notable cases was the compromise of Ray-Ban’s official Indian online store (india.ray-ban.com), which was transformed into a phishing platform without the knowledge of its operators.

Attackers leveraged the site’s backend vulnerabilities to inject obfuscated JavaScript that redirected users to fraudulent payment pages, where victims were prompted to disclose their credit card details.

The issue, reported to Google in November 2024, persisted on multiple websites and continued to expose users to risk for months before remediation efforts took effect.

Analysis of affected sites revealed numerous injected scripts associated with abused Google endpoints, many of which specifically targeted popular e-commerce platforms like Adobe Commerce and Magento.

Network traffic captures showed a flurry of script requests to Google’s domains, each serving as a conduit for malicious payloads that ultimately redirected users to scam payment gateways (such as those hosted on montina[.]it and premium[.]vn).

The persistence and sophistication of these attacks has raised alarms within the security community.

Malicious payloads delivered via trusted domains evade most detection mechanisms and erode consumer trust in established brands, all while the attackers avoid direct ad-buying costs.

Traditional security controls, even those as robust as CSP, offer little defense against this breed of threat when trusted endpoints are involved.

As web attackers continue to innovate, this campaign serves as a stark reminder for e-commerce operators and advertisers: constant vigilance and proactive monitoring are critical.

The use of legacy integrations like JSONP should be re-evaluated or deprecated in favor of safer, modern alternatives.

Until such measures are widely adopted, the risk of trusted domains being weaponized in malvertising campaigns remains an ongoing and significant challenge.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates