Latest news with #GoogleOAuth
Yahoo
12 hours ago
- Yahoo
Hackers are sneaking malware into your browser using Google's link, and antivirus software can't stop it
When you buy through links on our articles, Future and its syndication partners may earn a commission. Attackers use real Google URLs to sneak malware past antivirus and into your browser undetected This malware only activates during checkout, making it a silent threat to online payments The script opens a WebSocket connection for live control, completely invisible to the average user A new browser-based malware campaign has surfaced, demonstrating how attackers are now exploiting trusted domains like to bypass traditional antivirus defenses. A report from security researchers at c/side, this method is subtle, conditionally triggered, and difficult for both users and conventional security software to detect. It appears to originate from a legitimate OAuth-related URL, but covertly executes a malicious payload with full access to the user's browser session. The attack begins with a script embedded in a compromised Magento-based ecommerce site which references a seemingly harmless Google OAuth logout URL: However, this URL includes a manipulated callback parameter, which decodes and runs an obfuscated JavaScript payload using eval(atob(...)). The use of Google's domain is central to the deception - because the script loads from a trusted source, most content security policies (CSPs) and DNS filters allow it through without question. This script only activates under specific conditions. If the browser appears automated or the URL includes the word 'checkout,' it silently opens a WebSocket connection to a malicious server. This means it can tailor malicious behavior to user actions. Any payload sent through this channel is base64-encoded, decoded, and executed dynamically using JavaScript's Function constructor. The attacker can remotely run code in the browser in real time with this setup. One of the primary factors influencing this attack's efficacy is its ability to evade many of the best antivirus programs currently on the market. The script's logic is heavily obfuscated and only activates under certain conditions, making it unlikely to be detected by even the best Android antivirus apps and static malware scanners. They will not inspect, flag, or block JavaScript payloads delivered through seemingly legitimate OAuth flows. DNS-based filters or firewall rules also offer limited protection, since the initial request is to Google's legitimate domain. In the enterprise environment, even some of the best endpoint protection tools may struggle to detect this activity if they rely heavily on domain reputation or fail to inspect dynamic script execution within browsers. While advanced users and cybersecurity teams may use content inspection proxies or behavioral analysis tools to identify anomalies like these, average users are still vulnerable. Limiting third-party scripts, separating browser sessions used for financial transactions, and remaining vigilant about unexpected site behaviors could all help reduce risk in the short term. These are the best VPNs with antivirus you can use right now Take a look at our pick of the best internet security suites HP unveils the future of super-HD video meetings, but it comes at a huge price
Jordan News
22-05-2025
- Jordan News
Urgent Warning from Google: Delete Emails from This Address Immediately - Jordan News
Google has issued an urgent warning to Gmail users worldwide about a wave of dangerous cyberattacks targeting accounts through emails that appear official and come from "[email protected]"—but are actually fraudulent messages designed to steal sensitive information. اضافة اعلان These phishing emails attempt to deceive users by pretending to be a legal notice from Google, claiming the company has received a court order to hand over account contents to law enforcement. In reality, the message contains a malicious link leading to a fake support page hosted on platforms affiliated with Google, giving it a false sense of legitimacy. According to cybersecurity experts, clicking the link grants hackers access to the user's email and files. In some cases, downloading fake files can install malware capable of stealing passwords and banking information—or even taking full control of the device. In a related update, Google announced the end of security support for three of its most popular Android phones, putting them at high risk of cyberattacks, as they will no longer receive critical security updates. Meanwhile, Nick Johnson, a former Google developer, explained that this attack exploits official authentication tools like Google OAuth, tricking users with accurately mimicked login pages. Google strongly emphasized the importance of ignoring and immediately deleting such emails. The company also warned against clicking any suspicious links or downloading attachments from untrusted sources. The tech giant advised users to visit the official support site— verify any notifications, and recommended using Passkeys instead of traditional two-factor authentication, as they offer stronger protection against these types of attacks. Cybersecurity firms also urged users to check the full email address, not just the display name in their inbox. These phishing emails are often sent from unusual addresses that begin with the word "me", which can easily mislead users.
Metro
21-05-2025
- Metro
Warning to 1,800,000,000 Gmail users over sophisticated scam
Gmail users have been warned about a highly convincing scam email thatappears to come from Google themselves. The email seems to come from no-reply@ which is the address that real security updates come from. It links to a webpage hosted by Google, too, which is another convincing sign. But the website was not made by them; it was made by scammers trying to trick you. The email claims that 'a subpoena was served on Google LLC requiring us to produce a copy of your Google Account content'. It links to a domain designed to look like Google's genuine support page. However, the real support webpage is on while the 'sites' domain is one that anyone can build a free webpage on. Ordinary users are unlikely to know or notice this, however, and could inadvertently grant scammers permissions that could allow them access, or target you with malware. Security software firm Kaspersky said that there are other clues, too. If you look closer at the email details, the to and mailed-by fields contain a jumble of letters of emails which have nothing to do with Google, showing me[@]googl-mail-smtp-out-198-142-125-38-prod[.]net and The scam was first revealed by tech developer Nick Johnson. The scammers used Google OAuth technology, which is what you see when you use your Google details to sign into a different app. Those who fell victim to the scam approved the permissions thinking they were giving Google themselves permission. It is not clear exactly what the scammers hoped to achieve by this, but could involve data theft or infecting the victim with malware. Kapersky said that when an OAuth app is registered, 'the web application administrator can manually enter completely arbitrary text in the App Name field – this is what the criminals apparently took advantage of.' The mechanism that attackers used to do this has now been shut down, which will prevent this method of attack from working in future. A Google spokesperson said: 'We're aware of this class of targeted attack from this threat actor and have rolled out protections to shut down this avenue for abuse. 'In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.' They recently issued guidance on spotting scams, saying they will not ask for any of your account credentials, including your password, one-time passwords, confirm push notifications, and will not call you. Get in touch with our news team by emailing us at webnews@ For more stories like this, check our news page. MORE: People are placing bets on which five escaped New Orleans prisoners will be caught last MORE: Stalker detective tried to 'destroy' ex's life by lying he was a paedophile MORE: School boys deny throwing massive seat over balcony at Westfield
Hindustan Times
23-04-2025
- Hindustan Times
Gmail scam: Google says users have 7 days to recover hacked accounts
There was a major scare recently involving Gmail and emails in general, after a new phishing scam was brought to light. Developer Nick Johnson reported that scammers were using extremely sophisticated phishing attacks to generate official-looking emails, which appeared to originate directly from Google. This issue stemmed from Google's legacy products, where hackers exploited content hosting on a Google subdomain that supported arbitrary scripts and embeds. They were able to create a Google account intended to scam users. The attackers then created a Google OAuth application and generated a security alert, which was sent directly to users' inboxes. Google confirmed in a statement to Newsweek that it was working on a fix. Now, according to a report by Forbes, Google has since issued a new advisory explaining recovery of compromised Gmail accounts. Google confirmed to Forbes that protections against this type of attack are in the works and will be deployed soon. This will close off this particular avenue for abuse, Google said. Fortunately, if a user gets locked out of their account and the hacker changes the password, Google says users have up to seven days to recover access using available recovery methods. However, users must act quickly once an attacker has taken control of their account. At the same time, a Google spokesperson also emphasised that users should be using security keys or passkeys to prevent such problems in the first place. Additionally, Google recommends that users set up proper recovery options, such as a recovery email linked to their account. This can also be useful in cases where you forget your password or if a hacker changes your credentials after compromising the account. You may also choose to receive a sign-in code at your previous recovery email during this time (7 day window). All in all, you need to have a recovery email set up, a primary phone number linked to your account, enable updates about suspicious activity, and of course, use security features like passkeys to keep your account secure. Earlier, in a confirmation to Newsweek, Google said, 'We're aware of this class of targeted attack from the threat actor, Rockfoils, and have been rolling out protections for the past week. These protections will soon be fully deployed, which will shut down this avenue for abuse.' It added, 'In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns.' Mobile Finder: iPhone 16 LATEST Price, Specs And More
