(Image credit: Shutterstock)
Scammers are using legitimate website to post their malicious ‘tech support’ phone numbersIt’s called search parameter injection or reflected input vulnerabilityAttackers modify legitimate URLs with dodgy detailsFake tech support scammers are injecting fake phone numbers into legitimate websites, with major companies like Apple, PayPal and Netflix affected by an emerging type of threat that could put customers’ data at risk, experts have warned.
The scam is especially deceptive, because it bypasses the usual security checks that savvy Internet users can make like verifying the web address, but injecting malicious phone numbers onto the official sites.
Online advertising spaces are behind the attack vector, with scammers purchasing Google Ads to pose as major brands.
Watch out for these fake tech support hotlinesClick on the ad might lead to the official site, but the scammers use malicious URL parameters to modify the content displayed on the site – such as displaying fake phone numbers into support sections. Because the browser shows the legitimate domain, users are less likely to be suspicious.
Researchers at Malwarebytes describe the attack as search parameter injection attack – or reflected input vulnerability.
“Once the number is called, the scammers will pose as the brand with the aim of getting their victim to hand over personal data or card details, or even allow remote access to their computer,” the researchers explain.
Other affected sites include HP, Microsoft, Facebook and the Bank of America.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Malwarebytes is urging users to be weary of fake tech support lines by checking if the phone number is embedded into the URL (in which case, it’s almost certainly malicious), searching for unusual and high-pressure terms like ‘Call Now,’ scanning the URL for encoded characters like ‘%20’ (space) and ‘%2B (‘+’) and exercising caution if search results are shown before they’ve entered a search term.
Users can also navigate to the website’s official top-level domain (eg www.apple.com) and find their own way to support, rather than trusting ads – companies don’t typically purchase online ads to sell tech support.
You might also likeOver 16 billion records leaked in “unimaginable” major data breach – here’s what we knowWe’ve listed the best antivirus and best endpoint protection softwareProtect your digital footprint with our list of the best VPNs
With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!
