Today, I received a message from an unknown number claiming there was a $168.12 charge on my Apple Pay account. It said I should call the given number if I didn't authorize the transaction.
I knew it was a scam, but for my own entertainment, I decided to call them.
After some back and forth, they asked me to join a remote control session using Zoho Assist. I clicked the link they sent and pretended to follow along.
I kept pretending the page was loading. While keeping them engaged, I decided to report to Zoho about scammers abusing their product.
Zoho has a large “Report Abuse” CTA on the page, so I guess they are aware of this issue.
I filled out the form with the given session ID. It turns out there's a bug in their frontend code that prevents submitting the form.
Frustrated, I opened up inspect element and found the following event handlers:
window.addEventListener("DOMContentLoaded", () => {
reportOnload();
document.getElementById("name")?.addEventListener("keyup", () => {
submitCont(this.form, false, 'name')
});
document.getElementById("phone")?.addEventListener("keyup", () => {
submitCont(this.form, false, 'phone')
});
document.getElementById("Email")?.addEventListener("keyup", () => {
submitCont(this.form, false, 'email')
});
document.getElementById("sessionCode")?.addEventListener("keyup", () => {
submitCont(this.form, false, '')
});
document.getElementById("abuse_desc")?.addEventListener("keyup", () => {
submitCont(this.form, false, 'abuse')
});
document.getElementById("report_btn")?.addEventListener("click", () => {
submitCont(this.form, true, '')
});
});
They were using arrow functions with an incorrect reference to this
.
Since arrow functions do not bind their own this, this.form
is undefined in these callbacks.
I found the expected payload for the form and submitted the request via curl.
They didn't have any captcha or CSRF token. I emailed their team about the issue.
Who knew a playful call with scammers would lead to a debugging session.