Article Details

Netflix, Apple, BofA websites hijacked with fake help-desk numbers. Don’t trust mystery digits popping up in your search bar. Scammers are hijacking the search results of people needing 24/7 support from Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal in an attempt to trick victims into handing over personal or financial info, according to Malwarebytes senior director of research Jérôme Segura. It's a variation of SEO or search poisoning, in which the attackers manipulate the search engine algorithms to promote what is usually a malicious website masquerading as the real deal. In this new scam, the fraudster pays for a sponsored ad on Google and crafts a malicious URL that embeds a fake phone number into the real site's legitimate search functionality. Because the ad resolves to the authentic Netflix domain, reputation-based browser filters, such as Chrome's Safe Browsing, won't flag it as malicious. When someone searches "24/7 Netflix support," for example, the digital thieves' ad pops up as one of the top results, and when the unwitting victim clicks on the URL, it takes them to the help page of the brand's website. The page looks real — because it is — but displays a phone number pre-populated in the search bar on that page. This purports to be the legitimate help-desk phone number, but in reality it's a fake, controlled by the attackers. As the anti-malware security firm explains:  This is able to happen because Netflix's search functionality blindly reflects whatever users put in the search query parameter without proper sanitization or validation. This creates a reflected input vulnerability that scammers can exploit. The scam succeeds if victims don't question why the search bar has a phone number pre-populated, and simply dial it up and start talking to the criminal on the other end of the line. Then, the scammer on the other end of the line attempts to convince them to hand over personal or financial account data, or to allow remote access to their computer. Next, they drain the victims' online accounts and/or snoop around on their hijacked machine for additional info worth stealing — passwords, bank account numbers, sensitive files — before moving on to the next victim. Malwarebytes did not immediately answer a question about how many people it thinks actually fell for these scams. Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal did not immediately respond to The Register's requests for comment. We will update this story if we receive responses. Being a security firm, Malwarebytes naturally wants people to buy their product to protect against this type of scam, which it does by displaying a warning that a search hijacking has been detected and a message: "We've detected unauthorized changes to your search results, a scammer may be trying to trick you by overlaying their phone number on a trusted website". The vendor does, however, provide some valuable tips on how to avoid falling victim, and suggests keeping an eye out for details such as a phone number in the URL, and suspicious search terms like "call now" or "emergency support" in the address bar of the browser. Plus, a long list of encoded characters like the %20 (space) and %2B (+ sign) in addition to phone numbers is a big red flag. Most important, keep in mind that legitimate help desks are not going to ask for your username and password, or your bank account number, so don't hand those over because someone on the other end of the line wants that information.