SlashNext Labs recently discovered a new trend of injecting obfuscated malicious JavaScript code into compromised websites. These compromised websites then redirect visitors to dangerous Tech Support Scams.
The methods used to compromise the site make it difficult for experts to identify the JavaScript injection hack because its tracks are hidden with several layers of JavaScript obfuscation. Our researchers found a number of compromised websites with this hack, such as acenespargc[.]com. Upon visiting this website it redirects visitors to a Tech Support scam page.
Obfuscated JavaScript
Looking into the source code of this compromised website, we noticed a suspicious encrypted script. This script uses numbers to hide the suspicious content in eval() function and in that eval() it uses JavaScript fromCharCode() method to convert all the numbers into a characters to embed it into the website as shown below.
Reverse Obfuscation
Upon decoding numbers back into characters we were able to retrieve the hidden content under these numbers, which contains a link to another website.
In the above image, URL points to another JS file named “script.js”. Once this URL is opened in any browser, we found a suspicious URL.
Tech Support Phone Scam
When this URL is opened in a browser, it redirects to a scam page. This page plays loud audio (using text to speech) saying your computer is infected with a virus and says you have to call their technical support immediately for removal of this virus. It also tells users to not turn off their computers or their important information stored on the computer (i.e. financial data, credentials, photos, etc.) can be stolen.
Using these techniques, threat actors are able to hide malicious/phishing/advertising URLs from being seen with the naked eye. This technique has now been adopted by hackers to hide cryptocurrency mining scripts in compromised websites to hijack visitor’s machines. This crypto mining malware allow hijackers to mining digital currency by using visitor’s CPU power without their consent.