Warning: New “Search Poisoning” Scam Injects Fake Support Numbers on Legitimate Brand Sites
Fraudsters have developed a method to intercept search queries from users seeking 24/7 customer support from companies such as Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal. By posing as legitimate support representatives, they deceive individuals into divulging personal information or granting remote access to their devices. This warning comes from Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes.
The attack leverages a technique known as “search poisoning.” Cybercriminals manipulate search engine algorithms to elevate malicious sites in search results. In this case, the scheme involves paid advertisements on Google that appear to lead to legitimate company websites—such as Netflix—but contain pre-inserted, fraudulent phone numbers.
Although the ad’s link genuinely directs users to the official domain, browsers like Chrome fail to detect the redirection as malicious. When a user searches for something like “24/7 Netflix support,” they see the sponsored result and click through. While the authentic Netflix site does open, the search field on the page is automatically populated with a phone number that appears official but is, in fact, controlled by scammers.
The vulnerability stems from the Netflix website’s failure to validate input reflected from the search query, allowing attackers to inject arbitrary text into the URL, which is then displayed directly on the page. This lends a false sense of legitimacy to the site, even as it presents a deceptive support number.
If the user fails to spot the ruse and dials the number, the next phase of the attack begins. The scammer impersonates a support agent, extracting sensitive information such as login credentials, personal details, and—in some cases—persuading the victim to grant remote access to their device. This can result in the theft of funds, unauthorized access to email and banking services, and the compromise of personal files, before the attackers move on to their next victim.
Experts advise paying close attention to irregularities in the address bar. Phrases like “call now,” visible phone numbers, or encoded characters such as %20 or %2B in the URL are red flags. Most importantly, legitimate technical support will never ask for your password or banking information.
