Cybercriminals manipulate search engine results to redirect users to genuine websites such as Netflix, Microsoft, and Bank of America, while inserting fraudulent support phone numbers into the pages.
The scam leverages a vulnerability in how search query parameters are handled, tricking users into calling scammers directly from what appear to be authentic brand help pages.
The activity was discovered by Jérôme Segura, Senior Director of Research at Malwarebytes, who found multiple instances of this attack targeting well-known companies including Apple, Facebook, HP, and PayPal. The attackers exploit sponsored ad placements on Google Search, which often appear above legitimate organic results. When users search for customer support for these brands, they may click on a malicious ad that redirects them not to a fake website, but to the actual brand’s support page altered via a manipulated URL.
Malwarebytes
This tactic is technically classified as a search parameter injection attack. By appending crafted parameters to a legitimate URL, scammers are able to hijack the website’s internal search function and reflect their own content, in this case, a fake phone number, into the displayed results. The victim, seeing the correct website address and familiar branding, is unlikely to suspect manipulation.
For example, when a user searches for Netflix support, they may land on the real Netflix Help Center but see a scammer’s number displayed prominently as if it were official. The URL still reads “help.netflix.com”, and the page layout is unchanged, which increases the perceived legitimacy. Apple’s site was also particularly effective for this scam; the attack subtly inserted the fake number in a “no results found” message, suggesting users call the number displayed.
Malwarebytes
These brands are all major players in the tech and financial ecosystem, with billions of users collectively. Their websites are often the first destination for users seeking urgent support, especially for locked accounts or payment issues, making them high-value targets for social engineering attacks. Bank of America and PayPal are especially dangerous victims in this context, as attackers aim to gain remote access to victims’ systems or extract financial data directly.
To defend against these scams, users should always verify support numbers through official emails, printed documentation, or the company’s verified social media profiles. It is also recommended to be cautious of search results that immediately present phone numbers, especially those using urgent language like “Call Now” or “Emergency Support,” and scrutinize the URL for odd strings, such as encoded characters (%20, %2B) or appended phone numbers.
Leave a Reply