Large companies are often hesitant to make customer support number readily available due to the volume of calls, if they even maintain them at all. That often sends their users to Google and other search engines to see if they can more readily find contact information that way.
Malwarebytes Labs is reporting that clever scammers are now taking full advantage of that phenomenon, paired with a common security oversight that allows them to place a custom string of text right in the middle of a company website.
Hackers find increasingly creative ways to exploit search ads
The first step of the scheme is for hackers to take out a Google ad impersonating a legitimate company, something that apparently is not that difficult to slide by the ad network’s automated threat detection systems. The ad purports to offer phone support numbers to viewers, and includes the company’s legitimate URL.
When victims click on the ad, they actually are taken to the legitimate company website, not a mockup or a phishing site. The malicious element is a “rider” of text in the URL that places a hacker-controlled phone number in the site search bar, which purports to be the legitimate customer service department. When users call this number the attackers will pose as company support staff and attempt to get personal, financial and authentication information from them, as well as possibly trying to convince them to install remote desktop viewing software.
The main target of the scam is likely older and less sophisticated users looking for support numbers when something goes wrong, but it does enough right to potentially ensnare even those that are more wary. Aside from some English grammar mistakes, the Google search ads otherwise appear legitimate and traverse the target to a legitimate site. It is not at all uncommon for websites to have glitches or not display correctly on some devices, and someone in a hurry might not even think twice about a support number sitting pre-filled in a search bar.
Technically sophisticated or not, companies often go out of their way to drive users to third-party search engines to seek help. The impacted companies include Facebook, which does not even have public phone support numbers, and Microsoft, which requires users to log in and follow a series of menus and prompts before they might find numbers available to call. Others simply bury contact numbers so deep in menus it is simpler to ask a search engine to find them.
Ease of passing bogus ads, fake support numbers raises security questions
Other companies that were impersonated in the support numbers attack include Apple, Bank of America, HP, and PayPal. Some do have phone numbers that are relatively easy to find, but they all share the quality of not “sanitizing” text pre-filled by a URL into their site search bars.
Malwarebytes has since added a warning about this behavior to its software, but otherwise this scam broadly will bypass security filters that greenlight sites known to have a safe reputation. In addition to being clever in its own right, the scam highlights a number of unaddressed lingering vulnerabilities: failure to sanitize strings from inbound URLs, the inability of legitimate ad services to stop scam ads from being run, the prominent placement of these ads in legitimate search engines and the confusion of them with organic search results, and the simple fact that customers of major companies cannot get adequate customer service support when they need it.
