Facebook, News and XSS Underpin Complex Browser Locker Attack

facebook tech support scam

An elaborate set of redirections and hundreds of URLs make up a wide-ranging tech-support scam.

A sophisticated “browser locker” campaign is spreading via Facebook, ultimately pushing a tech-support scam. The effort is more advanced than most, because it involves exploiting a cross-site scripting (XSS) vulnerability on a popular news site, researchers said.

Browser lockers are a type of redirection attack where web surfers will click on a site, only to be sent to a page warning them that their computer is infected with “a virus” or malware. The page then typically urges targets to call a number on the screen for “tech-support help.” If they fall for it, they’re connected to a call center where they’re asked to pay a fee to “clean” their machines.

In a recent, widespread campaign, cyberattackers are using Facebook to distribute malicious links that ultimately redirect to a browser locker page, according to researchers. The links may be propagated through Facebook games, researchers at Malwarebytes noted in a post outlining its findings on Wednesday.

“The campaign we looked at appears to exclusively use links posted on Facebook, which is fairly unusual considering that traditionally tech-support scams are spread via malvertising,” said Malwarebytes researcher Jérôme Segura.

Facebook issues a pop-up to users, asking them to confirm the redirection – but the destination is obscured by the fact that the link is a bit.ly shortened URL, he added.

Overall, the firm discovered 50 different bit.ly links being used for the scam over a three-month period, “suggesting that there is regular rotation to avoid blacklisting,” Segura said.

XSS Vulnerability

The bit.ly URLs redirect to a Peruvian website called RPP, which is “perfectly legitimate and draws over 23 million visits a month,” Segura said. He added that he reported this issue to Grupo RPP but had not heard back at the time of publication.

He found that the site contains an XSS bug that allows for an open redirect. Open redirects happen when parameter values (the portion of URL after “?”) in an HTTP GET request allow for information that will redirect a user to a new website without any validation that the target is intended or legitimate. So, an attacker could manipulate that parameter to send a victim to a fake page, but the action would appear to be a legitimate action intended by the website.

The redirection flow of the campaign. Click to enlarge. Source: Malwarebytes.

“Threat actors love to abuse open redirects as it gives some legitimacy to the URL they send victims,” according to researchers .

In this case, the threat actors are using the XSS bug to load external JavaScript code from buddhosi[.]com, a malicious domain controlled by the attackers, which substitutes code in the URL to create a redirect.

“The JavaScript in turn creates the redirection to the browlock landing page by using the replace() method,” according to the analysis. The replace() method searches a string for a specified value, and returns a new string where the specified values are replaced.

Besides redirecting users to other sites, an attacker could exploit the XSS to rewrite the current page into anything they like, Segura noted.

In any event, the final browser-locker landing page is hosted on one of around 500 “disposable” and randomly named domains that use a variety of new-ish top-level domains (such as .casa; .site; .space; .club; .icu; or .bar).

Browser Locker

Once the user lands on the browser-locker page, it fingerprints the user’s browser to display a context-appropriate message.

“It shows an animation mimicking a scan of current system files and threatens to delete the hard drive after five minutes,” Segura noted. “Of course this is all fake, but it’s convincing enough that some people will call the toll-free number for assistance.”

The phone numbers, like the pages themselves, are also voluminous. Malwarebytes found almost 40 different phone numbers, and noted that there are likely many more.

In all, the chain of events is complicated and wide-ranging enough to help the threat actors avoid being shut down. The Facebook angle is also savvy, Segura said.

As always, the best defense against these types of scams is simple awareness.

As a starting point, “links posted onto social-media platforms should always be scrutinized as they are a commonly abused way for scammers and malware authors to redirect users onto undesirable content,” he noted.

Suggested articles