Scammers are now hijacking legitimate websites—including Apple, Netflix, and Microsoft—to trick users into calling fake support lines, using a sneaky but surprisingly simple tactic.
Security researchers at Malwarebytes recently uncovered a campaign where cybercriminals manipulate search engine ads and exploit search features on official websites to run a deceptive tech support scam. Unlike previous attacks that redirect users to lookalike phishing pages, this method sends users to real websites like Apple’s support portal or PayPal’s help center—only to show them fraudulent phone numbers through search bar tricks.
The scam begins with Google ads. The attackers pay for top search placements targeting phrases like “24/7 Apple support” or “Microsoft help number.” But here’s where it gets dangerous—they don’t redirect to fake sites. Instead, the ads link directly to legitimate support pages on trusted brands.
But these URLs are tampered with. By injecting fake queries into the search bar—what Malwarebytes calls search parameter injection—the page ends up displaying the scammer’s phone number in what appears to be a real search result.
Since the URL still shows the company’s real domain, unsuspecting users assume they’re getting genuine help. In reality, they’re being misled by a number planted in the search results.
According to Jerome Segura, Senior Director of Research at Malwarebytes, “The browser address bar will show the legitimate website, giving users no reason to doubt what they’re seeing. But the page is poisoned. The scammer’s number looks official, and once called, they impersonate the company to steal personal data or gain remote access.”
That remote access could be used for anything—from installing malware to draining bank accounts. Targets like Bank of America and PayPal are especially appealing because of the potential for immediate financial theft.
While some of the poisoned pages are poorly formatted—making it obvious the phone number isn’t real—others are slick enough to fool even savvy internet users. And because they’re hosted on real domains, many antivirus tools don’t detect the issue.
