A sophisticated scam targeting users of major American companies, where criminals exploit Google’s advertising system to inject fake customer service phone numbers into legitimate corporate websites.
The scheme affects millions of users seeking support from trusted brands including Netflix, Microsoft, Apple, Bank of America, Facebook, HP, and PayPal.
Malwarebytes Senior Director of Research Jérôme Segura discovered the fraud operation, which begins with sponsored search results on Google.
Scammers purchase legitimate-looking advertisements that appear when users search for customer support for major brands.
However, instead of directing victims to completely fake websites, the criminals employ a more sophisticated approach that makes detection significantly more difficult.
The fraudulent ads redirect users to genuine company websites, specifically to help and support sections, but with a critical manipulation.
The browser’s address bar displays the correct company URL, creating an authentic appearance that eliminates immediate suspicion.
This technique proves particularly effective because users naturally trust official company domains and expect to find legitimate contact information on these platforms.
When victims call the displayed numbers, scammers impersonate company representatives to extract personal information, financial details, or gain remote computer access.
For financial institutions like Bank of America and PayPal, the ultimate goal involves accessing and draining victim bank accounts.
Fake Numbers into Legitimate Websites
The attack methodology, technically classified as a search parameter injection attack, exploits vulnerabilities in website search functionality.
Criminals craft malicious URLs containing fake phone numbers that become embedded within legitimate site search results.
The target websites fail to properly sanitize or validate search query parameters, creating reflected input vulnerabilities that scammers systematically exploit.
Netflix exemplifies this technique’s effectiveness. The genuine Netflix Help Center displays the criminal’s phone number prominently in what appears to be an official search result.
Users see authentic page layouts and legitimate URLs, making the deception nearly undetectable without specialized security tools.
Apple’s implementation proves particularly deceptive, displaying messages suggesting no search matches exist while prominently featuring the scammer’s contact number.
HP’s version shows “4 Results for” preceding the fraudulent information, though many users still interpret this as legitimate customer service data.
Browser Protection and Vigilance
Malwarebytes Browser Guard successfully identifies these attacks, displaying “Search Hijacking Detected” warnings when unauthorized modifications appear in search results.
The free security tool provides an effective defense mechanism against this emerging threat category.
Security professionals recommend several protective measures for consumers. Users should verify phone numbers through previous company communications, such as emails or official social media accounts, before making support calls.
Suspicious indicators include phone numbers embedded in URLs, urgent language like “Call Now” or “Emergency Support,” encoded characters in web addresses, and unexpected search results appearing without user input.
Additionally, legitimate customer service representatives should never request personal banking information unrelated to specific support issues.
Users encountering such requests should immediately terminate calls and contact companies through verified official channels.
This discovery highlights the evolving sophistication of cybercriminal operations, demonstrating how attackers exploit user trust in established brands and technical vulnerabilities in website infrastructure to execute large-scale fraud campaigns.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
