Scammers Are Using Malicious URLs to Inject Fake Phone Numbers Into Search Queries on Legitimate Sites.
It’s reasonable to assume that if you contact support from a legitimate help site, you’ll speak to a real customer service representative. However, scammers hack into sites belonging to companies like Netflix, PayPal, and Apple to steal your information or gain remote access to your device.
Malwarebytes Labs has identified a tech support scam that uses malicious URLs to inject fake phone numbers into legitimate site searches. Here’s how to spot it and avoid falling victim to it.
How Scammers Hack Customer Support Pages
This scam starts, like many others, with a sponsored ad on Google. If you search for a company’s tech support phone number, you may see several (fake) results at the top of the page. Often, clicking on these links will redirect you to a fake phishing site, which you can spot by checking the URL, but in some cases, you’ll actually end up on a legitimate support page without much suspicion.
However, the number displayed could be a scam, and if you call, you’ll be connected to the scammers instead of tech support. This type of attack allows cybercriminals to embed phone numbers into a legitimate website, where they’ll be displayed prominently. Once you call, the scammers will ask for login credentials, financial account information, or even remote access to your device.
Since the URL is legitimate and the page layout is authentic, you can call the number without hesitation. Malwarebytes has detected this attack on sites including Netflix, PayPal, Apple, Microsoft, Facebook, Bank of America, and HP.
Red Flags for Hacked Tech Support Sites
Now that you know it’s a scam, there are a few signs to look out for. First, check your browser’s address bar. Chances are, the URL has a phone number with lots of encoded characters (%20 or %2B) and/or text like “call now” or “emergency support.” If the website shows search results and you haven’t entered a search term into the search bar on the page, it could be a scam. As always, any language that sounds like “urgent” should also raise suspicions.
Unfortunately, this isn’t the only way scammers can impersonate legitimate companies. With call spoofing, fake calls can look like calls from real, known numbers, so if you get a call back from “tech support” and Google the number, it will show up as the company’s real support line. If anything seems odd — there’s a sense of urgency, or the caller is asking for personal information or access to your device — hang up.
To avoid this, look for the company’s phone numbers by going directly to the home page or checking official social media channels. You can also look for contact information in the company’s past messages or by logging into your account. Do not rely on search results.