Malvertising: Malicious advertising pushes false numbers onto provider sites

Online fraudsters have found another way to find victims using manipulated advertising links in search results. They use fake telephone numbers on websites.

Malwarebytes is currently issuing a warning about this scam. The perpetrators place advertisements that link to the support pages of well-known companies, including Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal. Fraudsters often redirect such advertising links to fake websites. In this case, however, potential victims actually end up on the companies' real websites. There they land on the support pages – but instead of the real phone number, they display the phone number of the fraudsters.

Fake tech support scam

The address bar of the web browser shows the correct domain of the provider being searched for, so visitors are not suspicious. However, visitors are shown misleading information as the advertising link has been manipulated so that the website displays the fraudulent telephone number in a field that looks like a search query field.

When victims call, the scammers will announce themselves with the brand that was advertised and try to get callers to reveal personal details or credit card information. The perpetrators may also try to gain remote access to the computer. In the Bank of America or PayPal case investigated, the fraudsters wanted access to the victims' accounts so that they could empty them, Malwarebytes explains in its analysis.

The analysts explain that this is a case of search parameter injection, as the scammers put together a malicious URL that embeds their fake phone number into the search function of the original website. Malwarebytes further explains that this only works because the website operators do not filter or check the parameters that users submit.

To protect themselves, Internet users should make sure that no telephone numbers are included in links or that suspicious search terms such as “Call Now” or “Emergency Support” or other language equivalents appear in the address bar of the web browser. Coded characters such as “%20” for spaces or “%2B” for the plus sign together with telephone numbers are also suspicious, as are search results displayed before users have even entered search terms on the website.

Malvertising remains a high-level threat. Last week, heise security noticed a scam in which criminals put websites online with alleged options for standard commands under macOS. In the end, however, the commands given there lead to malware being downloaded and installed on the system. In this case, it was Infostealer, which spies out access data and other information that criminals can turn into money.

(dmk)