- The scammers are using a legitimate website to publish their malicious phone numbers of ‘Technical Support’
- It is called the injection of search parameters or reflected input vulnerability
- The attackers modify the legitimate URLs with doubtful details
False technical support scammers are injecting fake phone numbers into legitimate websites, with main companies such as Apple, Paypal and Netflix affected by an emerging type of threat that could put customer data at risk, experts warned.
The scam is especially misleading, since it ignores the usual security verifications that intelligent Internet users can make, such as verifying the web address, but injecting malicious phone numbers into official sites.
Online advertising spaces are behind the attack vector, with scammers that buy Google ads to pose as the main brands.
Be careful with these direct technical support lines
Click the ad can lead to the official site, but the scammers use malicious URL parameters to modify the content shown on the site, such as showing fake phone numbers in the support sections. Because the browser shows the legitimate domain, users are less likely to suspect.
Malwarebytes researchers describe the attack as an injection attack of search parameters, or a reflected entry vulnerability.
“Once the number is called, the scammers will consider as the brand with the aim of getting their victim to deliver personal data or card details, or even allow remote access to their computer,” explain the researchers.
Other affected sites include HP, Microsoft, Facebook and Bank of America.
Malwarebytes urges users to be tired of the false technical support lines when verifying if the phone number is integrated into the URL (in which case, it is almost certain that it is malicious), looking for unusual and high pressure terms as’ called now, ‘scanning the URL for characters encoded as’%20’ (space) and ‘%2b show the encoded characters.
Users can also navigate to the official domain of the upper level of the website (for example, www.apple.com) and find their own way of supporting, instead of trusting the ads, companies generally do not buy online ads to sell technical support.
