Tech Support Scammers Engage in Cross-Site Scripting Tricks

  • Multiple redirections and XSS exploits help tech support scammers channel social media users to their domains.
  • The actors rely on a popular Peruvian news site, which is vulnerable to cross-site scripting attacks.
  • The goal is to convince the victim that they have an infection that can be dealt with by a supposed tech support team.

There’s a new tech support scam campaign going on right now, targeting Facebook users and employing cross-site scripting (XSS) tricks to avoid detection. According to a report by Malwarebytes researchers, crooks are posting links on Facebook instead of relying on malvertizing as usual.

The links are shortened through “,” and to help avoid blacklisting issues, the actors are regularly refreshing the redirection URLs. Over three months, they used 50 different links placed inside apps and games so they can stay better hidden and avoid raising any flags.

Those who are tricked and click on the shared links are passed through a second-stage redirection that takes them through a Peruvian news website, “rpp[.]pe.” This site contains a cross-site scripting vulnerability, which is exploited by the scammers to achieve an open redirection. This step is important as it adds legitimacy to the URL that is shared on social media platforms. In this case, the site is very popular, so Facebook wouldn’t flag it as potentially malicious.

Source: Malwarebytes

The next redirection takes victims to buddhosi[.]com, which is a malicious domain. That domain has already been blacklisted, and if your browser is set to block scripts and trackers, it won’t work. Also, if your IP address isn’t in the United States, the site won’t serve you the malicious JS code.

Related: How Scammers are Still Making Millions from Defrauding Facebook Users

The scammers are attempting to run a JavaScript snippet to achieve further redirections to seemingly legitimate tech support sites. Examples of the cloaking domains used during the monitoring period include:

  • buddhosi[.]com
  • joinspinclass[.]com
  • suddhosi[.]com
  • thourwiringus[.]com
  • totalgodin[.]com
  • tuoliushigao[.]com

As for the randomly generated browlock domains where victims end up next, these can be anything using the following top-level domains:

  • .casa
  • .site
  • .space
  • .club
  • .icu
  • .bar
Source: Malwarebytes

Malwarebytes logged over 500 domains during their monitoring, so the list of compromise indicators is pretty extensive. In most of these domains, the browser is fingerprinted to display valid data, and a fake scanner is set to run there supposedly to find threats lurking on the computer.

This ends up with alerts about an infection and a prompt to call a toll free number. In total, the researchers collected forty different phone numbers used by the tech support scammers, and they are all given in the shared IoC list.



Indian Banks and Finance Companies Targeted by Multi-Staged JSOutProx RAT Malware

Indian banks and financial institutions are being targeted by a multi-tier JSOutProx RAT that acts in two stages.The malware uses spear-phishing emails...

Mega Deletes 144,000+ User Accounts for Repeated Copyright Infringement

Mega has changed its policies and terminated over 144,000 accounts for repeated copyright infringement violations.The company says flagged data is taken down...

YouTube Creators Targeted With Phishing Scams Based on Cookie Theft Malware

Google discoverd a new Cookie Theft-based phishing scam that targeted channels belonging to YouTube creators.Actors were sending phishing emails and hijacking channels...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari