![[The AI Show Episode 153]: OpenAI Releases o3-Pro, Disney Sues Midjourney, Altman: “Gentle Singularity” Is Here, AI and Jobs & News Sites Getting Crushed by AI Search](https://www.marketingaiinstitute.com/hubfs/ep%20153%20cover.png)
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![Google Mocks Apple's 'New' iOS 26 Features in Pixel Ad [Video]](https://www.iclarified.com/images/news/97638/97638/97638-640.jpg)
Scammers hijack websites of Bank of America, Netflix, Microsoft, and more to insert fake phone number
Scammers are abusing sponsored search results, displaying their scammy phone number on legitimate brand websites.
The examples in this post are actual fraud attempts found by Malwarebytes Senior Director of Research, Jérôme Segura.
Cybercriminals frequently use fake search engine listings to take advantage of our trust in popular brands, and then scam us. It often starts, as with so many attacks, with a sponsored search result on Google.
In the latest example of this type of scam, we found tech support scammers hijacking the results of people looking for 24/7 support for Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal.
Here’s how it works: Cybercriminals pay for a sponsored ad on Google pretending to be a major brand. Often, this ad leads people to a fake website. However, in the cases we recently found, the visitor is taken to the legitimate site with a small difference.
Visitors are taken to the help/support section of the brand’s website, but instead of the genuine phone number, the hijackers display their scammy number instead.
The browser address bar will show that of the legitimate site and so there’s no reason for suspicion. However, the information the visitor sees will be misleading, because the search results have been poisoned to display the scammer’s number prominently in what looks like an official search result.
Once the number is called, the scammers will pose as the brand with the aim of getting their victim to hand over personal data or card details, or even allow remote access to their computer. In the case of Bank of America or PayPal, the scammers want access to their victim’s financial account so they can empty it of money.
A technically more correct name for this type of attack would be a search parameter injection attack, because the scammer has crafted a malicious URL that embeds their own fake phone number into the genuine site’s legitimate search functionality.
See the below example on Netflix:
These tactics are very effective because:
- Users see the legitimate Netflix URL in their address bar
- The page layout looks authentic (again, because it is the real Netflix site)
- The fake number appears in what looks like a search result, making it seem official.
This is able to happen because Netflix’s search functionality blindly reflects whatever users put in the search query parameter without proper sanitization or validation. This creates a reflected input vulnerability that scammers can exploit.
Fortunately, Malwarebytes Browser Guard caught this and shows a warning about “Search Hijacking Detected,” and explains that unauthorized changes were made to search results with an overlaid phone number.
But Netflix is just one example. As we mentioned earlier, we found that other brands, such as PayPal, Apple, Microsoft, Facebook, Bank of America, and HP being abused in the same way by scammers.
The HP example is a bit clearer to identify as suspicious, as it says “4 Results for” which is shown in front of the scammers text. But even then if you’re on a genuine website you expect to see a genuine number, right?
Interestingly, Apple is the one where we found the scammer’s number was the hardest to identify as false.
This looks as if the web page tells the visitor they have no matches for their search, so they’d better call the number on display. That would drive them straight in the arms of scammers.
How to stay safe from tech support scams
As demonstrated in these cases, Malwarebytes Browser Guard is a great defense mechanism against this kind of scam, and it is free to use.
There are also some other red flags to keep an eye out for:
- A phone number in the URL
- Suspicious search terms like “Call Now” or “Emergency Support” in the address bar of the browser
- Lots of encoded characters like the %20 (space) and %2B (+ sign) along with phone numbers
- The website showing a search result before you entered one
- The urgent language (Call Now, Account suspended, Emergency support) displayed on the website
- An in-browser warning for known scams (don’t ignore this).
And before you call any brand’s support number, look up the official number in previous communications you’ve had with the company (such as an email, or on social media) and compare it to the one you found in the search results. If they are different, investigate until you’re sure which one is the legitimate one.
If during the call, you are asked for personal information or banking details that have nothing to do with the matter you’re calling about, hang up.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
