A new malvertising scheme is turning legitimate e-commerce sites into phishing traps without the knowledge of site owners or advertisers. By exploiting the integrations with Google APIs, they are injecting malicious scripts into ecommerce sites using JSONP calls. These scripts quietly redirect buyers to fraudulent payment pages, tricking them into disclosing credit card details under the assumption they are paying trusted merchants.
Unlike traditional malvertising campaigns that rely on suspicious ads or redirects, this attack weaponizes the legitimacy of high-quality sites and clean ad placements. Shoppers click on legitimate ads and visit real storefronts only to encounter invisible threats hidden beneath the surface.
One notable example is Ray-Ban’s Indian store (india.ray-ban.com), where attackers managed to compromise the site’s backend, transforming a trusted destination into an unwitting phishing platform. The scheme gives attackers a double advantage: they hijack the credibility of established brands and leverage the brands’ own marketing investments to drive traffic to their scams, all without spending a dime on distribution.
Although the scale of the current attack remains small, its persistence is alarming.
The threat was disclosed to Google in November 2024, yet several compromised sites remain active, exposing users to ongoing risk.
When attackers seek ways to abuse trusted domains, even standard security measures can fail. One method involves exploiting JSONP endpoints to deliver malicious scripts while flying under the radar.
JSONP (JSON with Padding) is a technique that was once commonly used to bypass the same-origin policy – a browser security rule that prevents web pages from making requests to a different domain.
It works by injecting a tag into the page to load data from another domain – something that standard AJAX methods (like XHR or Fetch) cannot do due to security restrictions.
How It Works
- The client appends a callback parameter to an API request
- The server responds with a script that calls the provided callback function, passing the data as an argument.
- The browser executes the script, allowing the client to access the data.
Security Concerns
- No control over the response the script executes immediately, making it a security risk.
- Possible XSS attacks If an attacker compromises the API, they can inject malicious JavaScript. (XSS: Cross-Site Scripting)
- No built-in error handling Unlike fetch method, JSONP cannot detect network errors.
When Trust Backfires:
JSONP Vulnerabilities in Google APIs
Not only have the risks associated with JSONP been exploited numerous times, but even major platforms like Google have delivered vulnerable APIs, such as translate.googleapis.com, accounts.google.com, and www.youtube.com.
A major concern with these vulnerabilities is that they bypass Content Security Policy (CSP) since most websites explicitly allow Google’s domains. As a result, even strict CSP configurations won’t block malicious JSONP payloads from these trusted sources and the attackers can injecting malicious JavaScript into websites.
This vulnerability was initially discovered by Source Defense’s research team and disclosed to Google on November 19, 2024 (Issue ID: 379818473)
In their research they unveil a sophisticated attack chain that exploits this vulnerability to e-commerce payment systems, leading users to fake payment pages.
Google Domain Exploitation Chain in Malvertising
This sophisticated exploitation chain has also been seen in malvertising, where clicking on a legit ad leads users to a compromised landing page that serves as an attack vector.
These websites appeared to have numerous injected scripts associated with the hosts mentioned above. All instances featured the same obfuscated JavaScript payload, ultimately redirecting the targeted user to a payment page hosted on montina[.]it or premium[.]vn
Many of the compromised online stores identified in the system were not only affected by this exploit but also contained additional injected scripts specifically targeting Adobe Commerce and Magento platforms.
One of the affected sites was https://india.ray-ban.com/ which had previously been reported as compromised due to a security vulnerability known as CosmicSting.
The site has since remediated the issue and is no longer serving malicious code.
How Attackers Can Leverage it
Malvertising attacks often rely on deceptive techniques to deliver harmful payloads through legitimate advertising channels.
One of the most disruptive attacks in this space is an Auto Redirect.
These attacks significantly damage user experience, visitors are unexpectedly redirected to scam or malicious pages without clicking on anything. This not only undermines trust but also causes users to abandon the site altogether, which can severely affect publisher reputation and revenue.
Threatening actors can exploit vulnerabilities, such as the one discussed here to bypass CSP protections and silently redirect users to malicious destinations.
These redirects can be triggered via injected malicious scripts into google JSONP URLs.
Monitoring for suspicious script injections, even when they originate from seemingly safe sources, is crucial as threatening actors continue to exploit trusted infrastructure.
Maintaining constant vigilance is essential to protect users and preserve site integrity.
GeoEdge safeguards your online environment by blocking malicious ads before they can cause harm, offering robust solutions to prevent malicious attacks from infiltrating your site.
Discover how GeoEdge can protect your site and users.
