Researchers at Malwarebytes have documented a browser locker campaign, where the attackers are exploiting an XSS bug of a famous news site. It’s noted that the malicious links were masked with link shorteners and spread via Facebook. They’re said to be using the open redirects to navigate users to a fake website, which eventually urges the user to call a number and asks for payment.
Browser Locker Campaign Using Open Redirects
Browser locker campaigns are usually a scam plan, which redirects users to a compromised website that fake scans the user’s computer and warns him of a threat like being infected with a virus or malware. And to remove this, they’re asked to contact number or email for “tech-support” like help.
While there’s nothing actually, vulnerable users fall for the trap and end up paying money to fraudsters for no reason. Malwarebytes researchers have tracked one such campaign recently, where the threat actors are using Facebook (within games apps) primary platform to spread their malicious URLs (redirection links).
These links, when tapped, will take the user to a news website called RPP, which has an XSS bug to be exploited. Threat actors here have masked their links with bit.ly and used over 50 such links to avoid being blacklisted. The RPP news site is popular enough with 23 million visits a month, and was informed by the researcher about this campaign, but haven’t responded yet.
The open redirect issue here will redirect the user to an external webpage, without validating it. The attacker here can modify the URL’s parameter values, and inject a JavaScript code from the attacker’s website called buddhosi[.]com. This ables them to redirect to a “browlock landing page by using the replace() method,” where it searches a string for a specified value and shows up a new string where specified values are replaced.
After landing him on the fake (browser locker) page, they do a fake scan of the user’s computer hard drive, and after a while, calls to delete the system files. And to avoid that from happening, they ask them to call a toll-free number for tech-support assistance. Researchers have noted 40 different phone numbers, which are fake as their websites, and ask for money to help.
While the scans are fake, they urge users to pay upfront to avoid deleting their files. Vulnerable users fall for the attack since they’re driven by the panic caused by the attacker’s fake results on their website. A simple thing to consider here is to be suspicious about links being shared on social media, or any other public platforms.
