In yet another reminder to always verify contact information independently with a known authorized site, Malwarebytes Labs is reporting a new scheme involving fake Google ads taken out by hackers that impersonate major brand names and that lead to malicious phone numbers purporting to be for customer support. It is concerning enough that it is apparently this easy to get fake ads using brand names placed with Google, but the scam adds a twist that makes the support numbers appear to be even more authentic.
When victims click on the fake ad, they are taken to the actual website of the listed company. However, apparently numerous of these companies have a website search feature that will list what is already printed within a URL linking from the ad to the page. In this case, that means that the search bar is pre-filled with fake support numbers when the target arrives at the page. The Malwarebytes researchers say that this technique is highly effective in prompting victims to call the fake number, where the scammer will attempt to collect personal information and/or banking details from them.
Scam leverages poor Google Ad screening, search bar oversight to pass fake support numbers
Aside from English grammar errors, the bogus Google ads that lead to the malicious support numbers appear legitimate at a glance. They list the authentic URL for the target service, complete with https URL to the official domain. Companies that were impersonated in this way include Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal.
The legitimacy of the scam is further bolstered when the target clicks on the ad and is redirected to the authentic website, on a landing page devoted to answering some sort of technical support question. The big trick is that the page search bar, usually front and center in the user’s view, is pre-filled with one of the malicious support numbers (placed there by the referring URL from the ad) and some sort of exhortation to call the “Help Center.”
In addition to making it look like the fake support numbers are being displayed on an official company page, the scam is able to bypass reputation-based browser filters that automatically trust known official sites (though Malwarebytes has since added a warning pop-up to their software). The ads are also targeted to those specifically searching for support contact information at one of the target sites, particularly a “24/7” option that is always available.
Those that call the bogus support numbers are put in touch with a criminal who will pose as company staff and either attempt to get personal and financial information out of them, attempt to get them to install remote desktop viewing software, or both. Malwarebytes did not make clear how many people have fallen victim to this approach but did call it “highly effective.”
Bogus search ads increasingly popular with cyber criminals
The scam is targeted primarily at less technologically sophisticated users that are likely seeking support numbers for immediate assistance, and might not discern that the malicious text is sitting in the middle of a search bar for some reason. Even more cautious users might just surmise that the website is glitching and displaying elements incorrectly, something that is far from uncommon. With many of the examples from the impacted sites, the search bar is either near the front-and-center of the screen or alongside a legitimate menu bar at the top of the screen where the eye would naturally be drawn to it if focused on scanning for a contact number.
Users that have already visited the official support page might also backtrack to search engines while specifically seeking support numbers. For example Facebook does not maintain phone or email contacts for the general public at all, and Microsoft’s support page prompts users to first log in with a Microsoft account and can require some digging to find a relevant phone number. Netflix steers users through multiple layers of online menus before a customer support number can be discovered; it is much quicker to Google for it to find it.
Another component to the issue is Google’s increasing blending of paid search ads with general search results, such that it may not be entirely clear to the user what they are clicking on. The company derives the majority of its revenue from its advertising, and it is a volume business that relies on automated systems to screen for scams. There appears to be ample leeway for scammers not associated with brands to purchase ads making use of those brand names and linking to their official site, as the support numbers scam demonstrates.
Roger Grimes, data-driven defense evangelist at KnowBe4, notes that the door has been wide open to scams like this for some time: “Fraudulent paid search engine ads taking users to fake websites have been a problem for decades. But this is definitely a new twist on the problem by being able to take users to legitimate vendor websites that then somehow display fraudulent phone numbers, which when answered, will be answered by a fake tech support message or person. It’s pretty devious. It’s especially devious because there isn’t a legitimate top 100 vendor who will easily display the legitimate vendor tech phone number for the victim to see and call instead, if the vendor even has a phone number a customer can call. If the vendor does have a phone number a customer can call it’s almost always buried under a ton of other pages or you have to find it by conducting an Internet search, which leads to the same problem. The fraudster pushes their scam number to the victim while the legitimate site hides theirs. So, it’s very easy to see how a customer can become a victim. It’s not my call and I don’t pay the bills, but it would be great if all vendors made their legitimate tech support phone numbers easier to find and/or more prominently displayed so they were easier for customers to find. It would be great if the legitimate vendors made finding their phone numbers as easy as the scammers make it.”
