Tech Support Scammers Engage in Cross-Site Scripting Tricks

Last updated September 25, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

There’s a new tech support scam campaign going on right now, targeting Facebook users and employing cross-site scripting (XSS) tricks to avoid detection. According to a report by Malwarebytes researchers, crooks are posting links on Facebook instead of relying on malvertizing as usual.

The links are shortened through “bit.ly,” and to help avoid blacklisting issues, the actors are regularly refreshing the redirection URLs. Over three months, they used 50 different links placed inside apps and games so they can stay better hidden and avoid raising any flags.

Those who are tricked and click on the shared links are passed through a second-stage redirection that takes them through a Peruvian news website, “rpp[.]pe.” This site contains a cross-site scripting vulnerability, which is exploited by the scammers to achieve an open redirection. This step is important as it adds legitimacy to the URL that is shared on social media platforms. In this case, the site is very popular, so Facebook wouldn’t flag it as potentially malicious.

Source: Malwarebytes

The next redirection takes victims to buddhosi[.]com, which is a malicious domain. That domain has already been blacklisted, and if your browser is set to block scripts and trackers, it won’t work. Also, if your IP address isn’t in the United States, the site won’t serve you the malicious JS code.

Related: How Scammers are Still Making Millions from Defrauding Facebook Users

The scammers are attempting to run a JavaScript snippet to achieve further redirections to seemingly legitimate tech support sites. Examples of the cloaking domains used during the monitoring period include:

As for the randomly generated browlock domains where victims end up next, these can be anything using the following top-level domains:

Source: Malwarebytes

Malwarebytes logged over 500 domains during their monitoring, so the list of compromise indicators is pretty extensive. In most of these domains, the browser is fingerprinted to display valid data, and a fake scanner is set to run there supposedly to find threats lurking on the computer.

This ends up with alerts about an infection and a prompt to call a toll free number. In total, the researchers collected forty different phone numbers used by the tech support scammers, and they are all given in the shared IoC list.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: