Scammers Use Google Ads To Inject Phony Help Lines On Apple, Microsoft Sites

An anonymous reader quotes a report from Ars Technica: Tech support scammers have devised a method to inject their fake phone numbers into webpages when a target's web browser visits official sites for Apple, PayPal, Netflix, and other companies. The ruse, outlined in a post on Wednesday from security firm Malwarebytes, threatens to trick users into calling the malicious numbers even when they think they're taking measures to prevent falling for such scams. One of the more common pieces of security advice is to carefully scrutinize the address bar of a browser to ensure it's pointing to an organization's official website. The ongoing scam is able to bypass such checks.

The unknown actors behind the scam begin by buying Google ads that appear at the top of search results for Microsoft, Apple, HP, PayPal, Netflix, and other sites. While Google displays only the scheme and host name of the site the ad links to (for instance, https://www.microsoft.com/ the ad appends parameters to the path to the right of that address. When a target clicks on the ad, it opens a page on the official site. The appended parameters then inject fake phone numbers into the page the target sees.

Google requires ads to display the official domain they link to, but the company allows parameters to be added to the right of it that aren't visible. The scammers are taking advantage of this by adding strings to the right of the hostname. The parameters aren't displayed in the Google ad, so a target has no obvious reason to suspect anything is amiss. When clicked on, the ad leads to the correct hostname. The appended parameters, however, inject a fake phone number into the webpage the target sees. The technique works on most browsers and against most websites. Malwarebytes.com was among the sites affected until recently, when the site began filtering out the malicious parameters.

So XSS?

[Luthair]

To me this suggests that these sites are all vulnerable to XSS if they're taking query parameters and injecting them into the page content.

Re:So XSS?

[Aighearach]

No, that's because you were credulous of the clickbait and didn't read the article.

It's just a query string, and the site then shows the search results for their text. They're searching for something in the form of "get help from the super-official phone number 1-800-scammer"

This is just attempting to scam people who don't know what search results are.

Re: So XSS?

[Z00L00K]

Yet another reason to use an adblocker.

Re:

[jhoegl]

Since they started advertising, I have been using blockers.
Because it is the easiest attack vector to hit people, and the advertisers dont give a shit.

Not in URL?

[jenningsthecat]

When clicked on, the ad leads to the correct hostname. The appended parameters, however, inject a fake phone number into the webpage the target sees.

and

One of the more common pieces of security advice is to carefully scrutinize the address bar of a browser to ensure it's pointing to an organization's official website.

I understand that the common advice is to make sure the URL does in fact point to the expected site. But aren't the appended parameters also part of the URL?

If they are, then I'm probably OK, because I'm used to looking at the entire URL for tracking cruft. I always strip the tracking crap from, for example, Amazon links. I prune anything from a URL that looks to be unnecessary.

I know the average person won't do what I do with URLs; but it strikes me that a browser extension using customized LLM queries

Complicit?

[Anonymous Coward]

So, if Google accepts money to insert scams into bonafide websites, does that make Google complicit?

Re: Complicit?

[Z00L00K]

Yes.

Good use for AI

[larryjoe]

Seems like this would be a good use for AI that would load a bunch of pages and detect those that have a high likelihood of having scams, including scams via ads. A human team could then track down the actual scams and cut them off from the ads networks.

Of course, this assumes that Google cares. Google gets revenue from scammers, and they have to trade that off against bad user experiences that might dissuade future use of Google services. However, since Google is effectively a monopoly where many people do

Ad blockers are a must

[ukoda]

This one of the main reasons I use a decent ad blocker. I trust injected ads from nobody.

Re:

[RitchCraft]

Yep, marketers shit the bed years ago by pulling all the stops on being evil assholes. Ad blockers for the win people, you MUST block all advertising in your life to avoid all this shit. You'll be happier too ... going on 25+ years ad free now. Bliss!

My Advice

[MDMurphy]

I've got several older people (and some clueless ones) who rely on me for tech support. These people don't know what an address bar is in a browser and had never used bookmarks. (Or rely completely on shortcut icons on the desktop)
For years I've been forcing them to *not* Google their bank, credit card company, etc.. every single time they want to visit those sites. I've mostly got them not clicking on links in emails or calling numbers in emails or texts. I have told them to go to the site they always go to and then do what they need to. I created bookmarks for them to always go to since typing something like www.bofa.com was beyond them and they would just Google it. I was worried they would click on some ad and not the official link in the search results.
It looks like I was totally justified in not trusting a search to lead them to the proper site, without any other hanky-panky going on.

Many of these companies brought this onto themselv

[madbrain]

Try finding customer service phone numbers that lead to a human being at many companies today. It is either really well buried, or hidden.
Google is one of the main offenders, ad it happens. Even gethuman.com lists a number for them, but it is only automated.

fooled no one

[tiananmen tank man]

so this "scam" requires someone to do a google search for one of these companies, Microsoft, Apple, HP, PayPal, Netflix, which would then display an advertisment with a contact phone number, then require the fool to phone that number. That's a lot of steps that are unlikely to happen.

Re: fooled no one

[superposed]

No, it requires them to do a Google search for the company or their problem, then shows an ad with a link to the legitimate company's website, then shows a "tech support" number to call on the real company's website. This is a pretty easy scam to fall for, for anyone in a hurry.

The original ArsTechnica article [arstechnica.com] (but not TFS or TFA) shows that this works by creating a standard get-style search on the company website, which then shows the scammer's search terms nice and clearly at the top (e.g., "Call 1-800-123-4567 for support"). On sites that remove as many frills as possible, the search terms can look a lot like part of the site, especially if the user didn't type them themself.

Re: fooled no one

[superposed]

If the user does a Google search for "Microsoft support", sees an ad linking to microsoft.com that says "Contact 1-800-123-4567 for support", clicks through to the Microsoft page, checks that the URL is really https://microsoft.com/ [microsoft.com] and the top of the page says "Call 1-800-123-4567 for support" (and the rest of the page is a list of less-helpful support options, whatever Microsoft throws up when searching for "Call 1-800-123-4567 for support"), then it would be pretty easy for them to fall for this scam.

This is why I use an ad blocker

[Spacejock]

A) use ad blocker and noscript - the latter only allowing domains I whitelist
B) ignore all sites that insist I turn the ad blocker off

Yes, it can be inconvenient at times, but ads have proven to be unsafe again and again.