A new campaign of browser-based malware has emerged, revealing how hackers are now circumventing conventional antivirus protections by exploiting trusted domains like Google.com.
This technique, according to a report by security researchers at c/side, is subtle, conditionally triggered, and challenging for users and traditional security software to detect.
It appears to originate from a legitimate OAuth-related URL, but it actually runs a malicious payload with full access to the user’s browser session.
Malware hides in plain sight
The assault starts with a script installed in a hijacked Magento-based ecommerce site that points to a seemingly harmless Google OAuth logout URL: https://accounts.google.com/o/oauth2/revoke.
However, a manipulated callback parameter in this URL uses eval(atob(…)) to decode and execute an obfuscated JavaScript payload. The usage of Google’s domain is essential to the s
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: