Hackers are sneaking malware into your browser using Google's link, and antivirus software can't stop it
When you buy through links on our articles, Future and its syndication partners may earn a commission.
Attackers use real Google URLs to sneak malware past antivirus and into your browser undetected
This malware only activates during checkout, making it a silent threat to online payments
The script opens a WebSocket connection for live control, completely invisible to the average user
A new browser-based malware campaign has surfaced, demonstrating how attackers are now exploiting trusted domains like Google.com to bypass traditional antivirus defenses.
A report from security researchers at c/side, this method is subtle, conditionally triggered, and difficult for both users and conventional security software to detect.
It appears to originate from a legitimate OAuth-related URL, but covertly executes a malicious payload with full access to the user's browser session.
The attack begins with a script embedded in a compromised Magento-based ecommerce site which references a seemingly harmless Google OAuth logout URL: https://accounts.google.com/o/oauth2/revoke.
However, this URL includes a manipulated callback parameter, which decodes and runs an obfuscated JavaScript payload using eval(atob(...)).
The use of Google's domain is central to the deception - because the script loads from a trusted source, most content security policies (CSPs) and DNS filters allow it through without question.
This script only activates under specific conditions. If the browser appears automated or the URL includes the word 'checkout,' it silently opens a WebSocket connection to a malicious server. This means it can tailor malicious behavior to user actions.
Any payload sent through this channel is base64-encoded, decoded, and executed dynamically using JavaScript's Function constructor.
The attacker can remotely run code in the browser in real time with this setup.
One of the primary factors influencing this attack's efficacy is its ability to evade many of the best antivirus programs currently on the market.
The script's logic is heavily obfuscated and only activates under certain conditions, making it unlikely to be detected by even the best Android antivirus apps and static malware scanners.
They will not inspect, flag, or block JavaScript payloads delivered through seemingly legitimate OAuth flows.
DNS-based filters or firewall rules also offer limited protection, since the initial request is to Google's legitimate domain.
In the enterprise environment, even some of the best endpoint protection tools may struggle to detect this activity if they rely heavily on domain reputation or fail to inspect dynamic script execution within browsers.
While advanced users and cybersecurity teams may use content inspection proxies or behavioral analysis tools to identify anomalies like these, average users are still vulnerable.
Limiting third-party scripts, separating browser sessions used for financial transactions, and remaining vigilant about unexpected site behaviors could all help reduce risk in the short term.
These are the best VPNs with antivirus you can use right now
Take a look at our pick of the best internet security suites
HP unveils the future of super-HD video meetings, but it comes at a huge price
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Miami Herald
27 minutes ago
- Miami Herald
Google plans major AI shift after Meta's surprising $14 billion move
After all the talk about AI's godlike powers, it turns out that they still run on people, and now that critical human feedback has become Big Tech's newest battleground, Ironically, since ChatGPT took off in late 2022, artificial intelligence has consistently needed humans to improve. It's essentially the layers of human feedback that help train AI to evolve and make smarter, safer, more useful choices. Don't miss the move: Subscribe to TheStreet's free daily newsletter In true tech fashion, though, AI's human-in-the-loop (HITL) pipelines are turning into a slugfest. At the heart of this showdown is Scale AI, perhaps one of the leading names in the niche. However, that premium position is now under duress with two of the biggest tech giants, Google and Meta Platforms (META) , at the center of it all. In the latest twist, Google is stepping back while Meta ramps up its role with Scale AI, with the broader narrative of Big Tech guarding its training data like gold. Bloomberg/Getty Images Since its founding in 2016, Scale AI has become one of the key players in fine-tuning the most advanced AI models. Specifically, it delivers the high-fidelity labels needed for reinforcement learning from human feedback (RLHF). Related: Meta commits absurd money to top Google, Microsoft in critical race Simply put, it's how humans guide AI by giving feedback so it learns to make better choices. AI bellwethers like OpenAI and Google (GOOGL) have leaned on these human-verified datasets, a role OpenAI's CFO Sarah Friar recently deemed "critical" in maintaining a healthy AI ecosystem. Naturally, investors took notice. A $100 million boost from Founders Fund in 2019 helped Scale jump past billion-dollar unicorn status. From there, it was off to the races as by 2021, a $325 million Series E had the company valued at a whopping $7.3 billion. Things kicked up a gear in May last year when Accel led a $1 billion round, pushing Scale's valuation to an eye-watering $13.8 billion with Tiger Global, Index Ventures, and Nvidia all back for more. Now, Meta Platforms, one of the largest spenders on AI, has acquired a 49% stake in Scale AI for $14.3 billion, valuing the company at nearly $30 billion. The decision risks Scale's once-enviable positioning by questioning its neutrality, though, with Google, Microsoft, and others retooling their contracts to avoid giving a rival a peek at their playbooks. More Google News: Google delivers a harsh message to loyal employeesMeta commits absurd money to top Google, Microsoft in critical raceHow to track stock price changes from 52-week lows with Google Finance Meanwhile, fresh contenders are muscling in. Labelbox and Appen have supercharged their platforms, and leaner outfits like Hive, Alegion, and CloudFactory pitch specialized, sector-focused labeling services with tighter security and more agility. In a major development, Google, one of Scale AI's biggest backers, is looking to offload its $200 million-plus data annotation agreement with Scale AI. The search giant fears that handing proprietary training datasets to a part-owned rival could leak sensitive insights into its AI offerings, including autonomous-vehicle roadmaps. Related: Analysts unveil bold forecast for Alphabet stock despite ChatGPT threat Sources say Alphabet has already opened back-channel talks with Labelbox, Appen, and other annotation outfits to backfill its HITL needs. Those discussions, spanning tens of millions in annual spend, signal a shift toward diversification and tighter controls. The fallout isn't limited to Google, though. Microsoft, Elon Musk's xAI, and other marquee Scale clients are reportedly reevaluating contracts worth hundreds of millions, worried that Meta's inside view could tilt the competitive landscape. OpenAI pulled back from Scale months ago, and it spends far less than Google. It spreads its bets across multiple providers to avoid risking its intellectual property. Turns out, the deal has everything to do with fueling Meta's "superintelligence" push. Scale CEO Alexandr Wang will lead the charge toward Meta's elusive goal of AGI. He's taking a small crew with him. Scale will continue to run independently with Jason Droege stepping in as interim CEO.. It's important to note that Google-parent Alphabet's stock price is up 10% over the past month, yet remains down 7% year-to-date. In contrast, Meta Platform's stock price has climbed 7.5% in the last month and is up 20.4% YTD. Related: Google resolves major privacy issue The Arena Media Brands, LLC THESTREET is a registered trademark of TheStreet, Inc.
WIRED
2 hours ago
- WIRED
Try This Free Version of Microsoft Office That Runs in Your Browser
If you can't afford Microsoft's $150 suite of office tools, there's a web-based version that's free to use—and nearly just as capable. I don't use Microsoft Office very often. I do most of my writing in Obsidian and my number crunching in Google Sheets. Every once in a while, though, someone who does use Office sends me a Word document or an Excel spreadsheet. What do I do if I want to open it, make edits, and send it back? In this situation, it's probably excessive to purchase Microsoft Office. A one-time purchase of the Microsoft Office suite costs $150, which is a lot for the occasional file. An alternative is Microsoft 365, which starts at $100 per year or $10 per month. Unless I subscribe for a month and then cancel (which is an option), that's also too much for light usage. But I don't have to pay or resort to using a third-party editor like the ones from Google or Zoho. There's an entirely free version of Microsoft Office. The catch is that it only runs in the browser. The Free Version of Microsoft Office Microsoft 365 for the web offers free, web-based versions of familiar Office tools. Courtesy of Justin Pot To get started, just head to this website and log in with your Microsoft account. You can create a Microsoft account for free if you don't have one. After signing in you will be redirected to Microsoft 365 with a free account. From here you can access the free, online versions of Word, Excel, PowerPoint, OneDrive, and Outlook. You can also click the Upload button in order to edit any file that you have on your computer. This will upload the file to your OneDrive, allowing you to open it in the web version of the Office program you need. The web-based version of Excel. Courtesy of Justin Pot You can then make changes right in the browser. When it's time to send the edited file back, you can share the file using OneDrive, which works well for ongoing collaboration. Alternatively, if the person you're collaborating with insists on emailing files back and forth, you can click File > Create a Copy > Download a copy—this will save your edited file to your computer. Yes, this might seem a touch more convoluted than using the desktop version of Microsoft Office, especially if you're used to the desktop version. For the occasional file, though, it lets you open Office documents without any formatting issues that might be introduced by the non-Microsoft editors available online. The Downsides Now, the web version of Office isn't perfect. You get only 5 GB of free storage, for one thing, though it would be hard to fill that up if you're using it only for the occasional file. You also can't use this version of Office without an internet connection. There are features that aren't offered in the free web version, though they number fewer than you'd think. Macros aren't supported, for one thing, and password-protected files are read-only. If you're interested in which features are missing from different applications, Microsoft offers feature comparison sheets for Word, Excel, and Powerpoint. You can check for the features that matter most to you. The Free Alternatives to Microsoft Office If you don't like Microsoft's free version of Office for whatever reason, there are a few free alternatives. Google Drive can import Office files and even edit them without converting them, which is nice, though there can be subtle formatting changes. If you'd rather run something directly on your computer, outside the browser, there are also open source options including LibreOffice, but they also have some slight compatibility issues. Still, they can both work well in a pinch. It's nice having this many alternatives.
American Press
2 hours ago
- American Press
Google offers buyouts to more workers amid AI-driven tech upheaval and antitrust uncertainty
Google said Friday it's laying off 12,000 workers, becoming the latest tech company to trim staff after rapid expansions during the COVID-19 pandemic have worn off. (Special to the American Press) Google has offered buyouts to another swath of its workforce across several key divisions in a fresh round of cost cutting coming ahead of a court decision that could order a breakup of its internet empire. The Mountain View, California, company confirmed the streamlining that was reported by several news outlets. It's not clear how many employees are affected, but the offers were made to staff in Google's search, advertising, research and engineering units, according to The Wall Street Journal. Google employs most of the nearly 186,000 workers on the worldwide payroll of its parent company, Alphabet Inc. 'Earlier this year, some of our teams introduced a voluntary exit program with severance for U.S.-based Googlers, and several more are now offering the program to support our important work ahead,' a Google spokesperson, Courtenay Mencini, said in a statement. 'A number of teams are also asking remote employees who live near an office to return to a hybrid work schedule in order to bring folks more together in-person,' Mencini said. Google is offering the buyouts while awaiting for a federal judge to determine its fate after its ubiquitous search engine was declared an illegal monopoly as part of nearly 5-year-old case by the U.S. Justice Department. The company is also awaiting remedy action in another antitrust case involving its digital ad network. U.S. District Judge Amit Mehta is weighing a government proposal seeking to ban Google paying more than $26 billon annually to Apple and other technology companies to lock in its search engine as the go-to place for online information, require it to share data with rivals and force a sale of its popular Chrome browser. The judge is expected to rule before Labor Day, clearing the way for Google to pursue its plan to appeal last year's decision that labeled its search engine as a monopoly. The proposed dismantling coincides with ongoing efforts by the Justice Department to force Google to part with some of the technology powering the company's digital ad network after a federal judge ruled that its digital ad network has been improperly abusing its market power to stifle competition to the detriment of online publishers. Like several of its peers in Big Tech, Google has been periodically reducing its headcount since 2023 as the industry began to backtrack from the hiring spree that was triggered during pandemic lockdowns that spurred feverish demand for digital services. Google began its post-pandemic retrenchment by laying off 12,000 workers in early 2023 and since then as been trimming some divisions to help bolster its profits while ramping up its spending on artificial intelligence — a technology driving an upheaval that is starting to transform its search engine into a more conversational answer engine.
