Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

XSS Vulnerability Exploited in Tech Support Scam

Malwarebytes security researchers have identified a new campaign in which tech support scammers are exploiting a cross-site scripting (XSS) vulnerability and are relying exclusively on links posted on Facebook to reach potential victims.

Malwarebytes security researchers have identified a new campaign in which tech support scammers are exploiting a cross-site scripting (XSS) vulnerability and are relying exclusively on links posted on Facebook to reach potential victims.

The scam starts with malicious bit.ly shortened links that are being distributed on the social media platform, and which ultimately take the intended victims to a browser locker page. According to Malwarebytes, certain games and applications on Facebook appear to be abused for the distribution of these links.

Over a period of three months, the researchers found a total of 50 different bit.ly links that were being used in this campaign. This, they say, suggests that the tech support scammers were regularly changing these links to avoid blacklisting.

The bit.ly URLs would trigger a second stage redirection where a Peruvian news website (rpp[.]pe) containing a cross-site scripting (XSS) vulnerability is abused for an open redirect. The legitimate site has more than 23 million visits per month.

“Besides redirecting users to other sites, an attacker could exploit the XSS to rewrite the current page into anything they like,” Malwarebytes notes.

In this attack, the next step involves code being passed into the URL to load external JavaScript code from the malicious domain buddhosi[.]com. The script was designed to create a redirection to the browser locker landing page.

Initially, the attackers were directly loading decoy cloaking domains designed to check incoming traffic and deliver the malicious content to legitimate victims only. Later on in the campaign, the attackers added exploitation of the open redirect flaw instead.

At the end of the redirection chain, the user is served a browser locker that shows an animation suggesting system files are being scanned, and threatening to delete the hard drive after five minutes.

Advertisement. Scroll to continue reading.

The trick is likely convincing enough that some people do call the toll-free number that is listed on the page. Malwarebytes identified approximately 40 different phone numbers used in the campaign, but notes that the list might be longer.

The researchers say they did not call any of the numbers, but the next step of the tech support scam is well known: the victim is told their computer has been infected and is urged to immediately purchase expensive software or services to clean up their system.

Related: Man Pleads Guilty to Role in $600K Malware Protection Scam

Related: Participant in Phony Tech Support Scheme Pleads Guilty

Related: BEC Losses Surpassed $1.7 Billion in 2019: FBI

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.