Tech support scammers are leveraging an unsophisticated but efficient method to trick unsuspecting users into calling them, by ‘hacking’ the websites of major companies to display the scammers’ phone number.
The campaign, analyzed by antimalware firm Malwarebytes, involves the use of sponsored ads on Google. The attackers pay for ads that point people who look for 24/7 support to the sites of companies such as Apple, Microsoft, HP, Facebook, Netflix, Bank of America, and PayPal.
However, unlike in other campaigns involving sponsored ads, the cybercriminals are not trying to lure users to fake websites set up to mimic the ones of the targeted companies.
Instead, the sponsored links point to the legitimate website, specifically help center, support or shop pages that include search functionality.
The URLs of these pages have been crafted in a way that triggers what Malwarebytes calls search parameter injection, causing the page to display the tech support scam phone number in the search bar or search results.
“The browser address bar will show that of the legitimate site and so there’s no reason for suspicion. However, the information the visitor sees will be misleading, because the search results have been poisoned to display the scammer’s number prominently in what looks like an official search result,” explained Malwarebytes Senior Director of Research Jerome Segura.
“Once the number is called, the scammers will pose as the brand with the aim of getting their victim to hand over personal data or card details, or even allow remote access to their computer. In the case of Bank of America or PayPal, the scammers want access to their victim’s financial account so they can empty it of money,” Segura added.
In some of the examples seen by Malwarebytes, it’s easier to determine that the scammers’ phone number is displayed as a search result, making it less likely for users to fall for it.
In the case of the websites of companies such as Apple and Netflix, it’s less clear that the tech support scam number does not belong on the page.
Related: Why Scamming Can’t Be Stopped—But It Can Be Managed
Related: How Scammers Are Using AI to Steal College Financial Aid
Related: Tech Support Firms Agree to $26M FTC Settlement Over Fake Services
