Hackers are hiding malicious code inside the metadata fields of images hosted on Google’s official CDN (content delivery network) —googleusercontent.com.

The type of images that are being hosted on this domain are usually the photos uploaded on Blogger.com sites and the Google+ social network.

Denis Sinegubko, a security researcher with web security firm Sucuri (now part of GoDaddy), has recently discovered one malware distribution campaign where the GoogleUserContent CDN was used to host one such malicious image.

From EXIF field to web shell

In a report published on Wednesday, Sinegubko says he found a malware operation focused on stealing PayPal security tokens (for bypassing PayPal authentication) where crooks were loading an image hosted on googleusercontent.com, extracting and then executing code found in its “UserComment” EXIF metadata field.

The code contained in that field was a Base64-encoded string that when decoded multiple times would end up being a script that could upload a predefined web shell on the compromised server, along with various other files.

This web shell could then be used for defacing the server, and emailing the addresses of successfully exploited sites back to the attacker.

Issues with taking down the malicious image

What drew Sinegubko’s attention to this case was not the trick of hiding malicious code inside an image’s EXIF fields, but the use of the GoogleUserContent CDN to host these files.

Crooks have hidden malicious code in image metadata fields before, or in the image itself (a technique known as steganography).

Hosting the images on the GoogleUserContent CDN was…