Ddos 
The Fake Payment Page (from Source Defense's Blog)
Threat actors are now turning the very trust consumers place in legitimate e-commerce sites against them. A new malvertising campaign, uncovered by researchers at Source Defense and documented by GeoEdge, reveals how attackers are exploiting integrations with Google APIs to quietly inject malicious scripts into high-profile retail sites.
“Unlike traditional malvertising campaigns that rely on suspicious ads or redirects, this attack weaponizes the legitimacy of high-quality sites and clean ad placements,” the report warns.
The scheme hinges on the exploitation of JSONP (JSON with Padding) — a legacy web technique originally designed to bypass the same-origin policy in browsers. This method allows third-party scripts to be executed directly within a site’s context, creating a perfect storm when combined with Google API endpoints.
“JSONP vulnerabilities in Google APIs… bypass Content Security Policy (CSP) since most websites explicitly allow Google’s domains,” explains the report.
This means that even sites with tight security controls remain vulnerable when malicious payloads are delivered through trusted sources such as translate.googleapis.com or accounts.google.com.
One striking example cited in the report is Ray-Ban’s official Indian website, india.ray-ban.com. The attackers compromised its backend to covertly redirect users to fake payment pages.
“They hijack the credibility of established brands and leverage the brands’ own marketing investments to drive traffic to their scams, all without spending a dime on distribution,” GeoEdge notes.
Captured network logs show extensive abuse of Google domains, with malicious JavaScript ultimately redirecting shoppers to phishing domains such as montina[.]it and premium[.]vn.
Here’s how the JSONP exploit chain typically unfolds:
- A legitimate ad leads users to a compromised e-commerce site.
- A script injected into the site makes a JSONP call to a trusted Google API.
- The attacker controls the server’s callback response, injecting malicious JavaScript.
- Users are silently redirected to a fake payment page, where they enter their credit card details under the assumption of secure checkout.
“The browser executes the script, allowing the client to access the data,” the report explains, outlining the basic mechanism of JSONP.
Unlike typical phishing campaigns hosted on sketchy domains, this scheme piggybacks on the infrastructure and credibility of global brands. The campaign’s scale may still be limited, but the implications are massive:
- Bypassing CSP: Because most sites whitelist Google domains, malicious JSONP responses go undetected.
- Auto Redirects: Users are redirected without clicking, eroding user trust and damaging brand reputation.
- Zero Spend Distribution: Attackers exploit existing ad budgets from legitimate brands.
“When attackers seek ways to abuse trusted domains, even standard security measures can fail,” warns GeoEdge.
While the report confirms that Ray-Ban’s Indian store has since been cleaned up, the broader infrastructure exploited by this scheme remains vulnerable.
Security experts urge website owners to:
- Audit and disable legacy JSONP endpoints where possible.
- Monitor traffic for suspicious script injections, even from trusted sources.
- Implement runtime client-side protection to detect unauthorized behavior.
“Maintaining constant vigilance is essential to protect users and preserve site integrity,” concludes the report.
Related Posts:
- India plans to require e-commerce, social media companies such as Google Facebook to store data locally
- SEO Poisoning: Unmasking the Malware Networks Behind Fake E-Commerce
- Hackers Exploit Google Ads to Spread Malware Disguised as Popular Software
- Credit Card Skimmer and Backdoor Found Lurking on WordPress E-commerce Site
Donate