Upon decoding numbers back into characters we were able to retrieve the hidden content under these numbers, which contains a link to another website.
In the above image, URL points to another JS file named “script.js”. Once this URL is opened in any browser, we found a suspicious URL.
Tech Support Phone Scam
When this URL is opened in a browser, it redirects to a scam page. This page plays loud audio (using text to speech) saying your computer is infected with a virus and says you have to call their technical support immediately for removal of this virus. It also tells users to not turn off their computers or their important information stored on the computer (i.e. financial data, credentials, photos, etc.) can be stolen.
Using these techniques, threat actors are able to hide malicious/phishing/advertising URLs from being seen with the naked eye. This technique has now been adopted by hackers to hide cryptocurrency mining scripts in compromised websites to hijack visitor’s machines. This crypto mining malware allow hijackers to mining digital currency by using visitor’s CPU power without their consent.