Post

Tech Support Scammers Exploit Brand Trust: The Latest Hijacking Tactic

Discover how scammers are manipulating search engines and legitimate websites to insert fake phone numbers, targeting unsuspecting users seeking support from major brands.

Posted
By Vitus White
3 min read
Tech Support Scammers Exploit Brand Trust: The Latest Hijacking Tactic

TL;DR

Cybercriminals are exploiting trust in major brands by hijacking search engine results to insert fake phone numbers on legitimate support pages. This tactic, known as search parameter injection, misleads users into contacting scammers posing as official support.

Main Content

The examples in this post are actual fraud attempts discovered by Malwarebytes Senior Director of Research, Jérôme Segura.

Cybercriminals frequently exploit our trust in popular brands through fake search engine listings, initiating scams that often begin with sponsored search results on platforms like Google. In the latest iteration of this tactic, tech support scammers have been found hijacking search results for users seeking 24/7 support from major brands such as Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal.

sponsored search result for Netflix

Here’s how the scam operates: Scammers pay for sponsored ads on Google, mimicking major brands. Typically, these ads lead users to fake websites. However, in recent cases, users are directed to legitimate brand websites with a subtle twist—the support phone numbers are replaced with the scammers' fake numbers.

Users are taken to the genuine help/support section of the brand’s website, but the displayed phone number is the scammer’s. The browser address bar shows the legitimate site, leaving no immediate cause for suspicion. However, the information displayed is misleading because the search results have been manipulated to prominently feature the scammer’s number, making it appear official.

Once the fake number is called, scammers pose as brand representatives, aiming to extract personal data, card details, or gain remote access to the victim’s computer. For financial institutions like Bank of America or PayPal, the goal is to access and empty the victim’s financial accounts.

This type of attack is technically known as a search parameter injection attack. Scammers craft malicious URLs that embed their fake phone numbers into the genuine site’s search functionality, exploiting a reflected input vulnerability.

See the example below on Netflix:

Netflix Help Center with scammer's number

These tactics are effective because:

  • Users see the legitimate Netflix URL in their address bar.
  • The page layout looks authentic, as it is the real Netflix site.
  • The fake number appears in what looks like a search result, making it seem official.

This vulnerability arises because Netflix’s search functionality reflects user input without proper sanitization or validation, allowing scammers to exploit it.

Fortunately, Malwarebytes Browser Guard detects this and warns users about “Search Hijacking Detected,” explaining that unauthorized changes were made to search results with an overlaid phone number.

Netflix is just one example. Other brands like PayPal, Apple, Microsoft, Facebook, Bank of America, and HP have also been targeted similarly by scammers.

HP Customer Service page with scammer's phone number

The HP example is slightly easier to identify as suspicious, as it displays “4 Results for” followed by the scammer’s text. However, users expect genuine numbers on legitimate websites, making the deception convincing.

Interestingly, Apple’s scam was the hardest to identify as fake.

Apple Support page with scammer's phone number

The web page appears to inform the visitor that there are no matches for their search, encouraging them to call the displayed number, which leads directly to the scammers.

How to Stay Safe from Tech Support Scams

Malwarebytes Browser Guard is an effective defense against such scams and is free to use.

Additionally, be vigilant for these red flags:

  • A phone number in the URL.
  • Suspicious search terms like “Call Now” or “Emergency Support” in the browser’s address bar.
  • Excessive encoded characters (e.g., %20 for space, %2B for plus sign) alongside phone numbers.
  • The website displaying a search result before any input.
  • Urgent language (e.g., “Call Now,” “Account suspended,” “Emergency support”) on the website.
  • In-browser warnings for known scams (do not ignore these).

Before calling any brand’s support number, verify it by comparing it with official numbers found in previous communications (e.g., emails or social media). If discrepancies exist, investigate thoroughly to confirm the legitimate number.

During the call, if asked for unrelated personal information or banking details, hang up immediately.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

For more details, visit the full article: source

Conclusion

Cybercriminals continue to evolve their tactics, exploiting vulnerabilities in search engines and legitimate websites to deceive users. Staying vigilant and using tools like Malwarebytes Browser Guard can help protect against these sophisticated scams.

Additional Resources

For further insights, check:

References

Cybersecurity & Data Protection, Scam Protection
cybersecurity scams threat-intelligence
This post is licensed under CC BY 4.0 by the author.