This scam, uncovered by researchers at GeoEdge, uses a clever trick to hide malicious software in online stores. The hackers exploit a Google tool called JSONP (JSON with Padding) to sneak dangerous code into trusted websites. These scripts then quietly redirect shoppers to fake payment pages that look real, where their card details are stolen.
What makes this attack especially dangerous is that it doesn’t rely on shady ads or suspicious pop-ups. Instead, it hides behind clean-looking ads and real storefronts. People believe they’re shopping safely on trusted sites, when in reality, the danger is hidden beneath the surface.
One known victim of this scam is the official Indian website of Ray-Ban (india.ray-ban.com). Hackers managed to break into the site’s backend and use it as a tool to scam unsuspecting buyers.
The attackers benefit in two major ways: they use the brand’s good reputation to gain trust, and they take advantage of the brand’s online marketing to bring in traffic—traffic that ends up being scammed.
Even though the number of these attacks is still small, experts are worried because the method is persistent and hard to detect. The problem was reported to Google in November 2024, but many affected websites are still vulnerable today.
Technically, the hackers abuse JSONP responses from trusted Google domains. This allows them to bypass normal browser security settings, since most websites allow content from Google without question.
Here’s how the trick works: a website makes a normal request to a Google API, but includes a callback function. The response from Google wraps the data in that function—something like:
malicious_function({"result": "data"});
This lets hackers run dangerous code right inside a real website. These attacks have been seen on many e-commerce platforms, especially those using Adobe Commerce and Magento. The fake payment pages users are redirected to are hosted on domains like montina[.]it and premium[.]vn.
Because everything looks normal on the surface, regular security systems often fail to catch these scams. Experts warn that this kind of attack could spread quickly and advise online shoppers to stay alert—even when shopping on trusted websites.
Tags:
Cyber News
