Skip to content

I Tried to Troll a Scammer, But Ended Up Debugging Zoho Assist

Today, I received a message from an unknown number claiming there was a $168.12 charge on my Apple Pay account. It said I should call the given number if I didn't authorize the transaction.

I knew it was a scam, but for my own entertainment, I decided to call them.

After some back and forth, they asked me to join a remote control session using Zoho Assist. I clicked the link they sent and pretended to follow along.

I kept pretending the page was loading. While keeping them engaged, I decided to report to Zoho about scammers abusing their product.

Zoho has a large “Report Abuse” CTA on the page, so I guess they are aware of this issue.

I filled out the form with the given session ID. It turns out there's a bug in their frontend code that prevents submitting the form.

Frustrated, I opened up inspect element and found the following event handlers:

window.addEventListener("DOMContentLoaded", () => {
    reportOnload();
    document.getElementById("name")?.addEventListener("keyup", () => {
        submitCont(this.form, false, 'name')
    });
 
    document.getElementById("phone")?.addEventListener("keyup", () => {
        submitCont(this.form, false, 'phone')
    });
 
    document.getElementById("Email")?.addEventListener("keyup", () => {
        submitCont(this.form, false, 'email')
    });
 
    document.getElementById("sessionCode")?.addEventListener("keyup", () => {
        submitCont(this.form, false, '')
    });
 
    document.getElementById("abuse_desc")?.addEventListener("keyup", () => {
        submitCont(this.form, false, 'abuse')
    });
 
    document.getElementById("report_btn")?.addEventListener("click", () => {
        submitCont(this.form, true, '')
    });
});

They were using arrow functions with an incorrect reference to this. Since arrow functions do not bind their own this, this.form is undefined in these callbacks.

I found the expected payload for the form and submitted the request via curl.

They didn't have any captcha or CSRF token. I emailed their team about the issue.

Who knew a playful call with scammers would lead to a debugging session.