Please sign in to post.

New method for fake phone numbers on legitimate websites

Posted by (Portland, OR) on

from Arstechnica by way of /. :

https://arstechnica.com/security/2025/06/tech-support-scammers-inject-malicious-phone-numbers-into-big-name-websites/

Tech support scammers have devised a method to inject their fake phone numbers into webpages when a target's web browser visits official sites for Apple, PayPal, Netflix, and other companies. The ruse, outlined in a post on Wednesday from security firm Malwarebytes, threatens to trick users into calling the malicious numbers even when they think they're taking measures to prevent falling for such scams. One of the more common pieces of security advice is to carefully scrutinize the address bar of a browser to ensure it's pointing to an organization's official website. The ongoing scam is able to bypass such checks.

The unknown actors behind the scam begin by buying Google ads that appear at the top of search results for Microsoft, Apple, HP, PayPal, Netflix, and other sites. While Google displays only the scheme and host name of the site the ad links to (for instance, https://www.microsoft.com/ the ad appends parameters to the path to the right of that address. When a target clicks on the ad, it opens a page on the official site. The appended parameters then inject fake phone numbers into the page the target sees.

Google requires ads to display the official domain they link to, but the company allows parameters to be added to the right of it that aren't visible. The scammers are taking advantage of this by adding strings to the right of the hostname. The parameters aren't displayed in the Google ad, so a target has no obvious reason to suspect anything is amiss. When clicked on, the ad leads to the correct hostname. The appended parameters, however, inject a fake phone number into the webpage the target sees. The technique works on most browsers and against most websites. Malwarebytes.com was among the sites affected until recently, when the site began filtering out the malicious parameters.

edit: tl;dr If you click on a real website link in an ad, say "Netflix" or "Microsoft", the process of sending you to the real site allows people who bought the ad to add invisible characters that then add a fake phone number when you finally get to the real website. And you "see" the real website link all the time this is going on.

Posted by
17423 posts

The moral of the story is don't click on ads if you want to go to a particular website.

Posted by
501 posts

Not sure if it's only in google ad network.

This allows people who bought the ad to change it in a limited fashion. Businesses change phone numbers (and occasionally addresses) all the time. I could see this being a feature to allow buyer to update info that changes without buying new ads.

So, blah blah, the motivation is there to be in other places as well.

I believe both the CIA and the NSA recommend browsing the web with an Ad blocker in place.

edit: I believe this issue is being looked at wherever it is being used. Or will be shortly.

(Unless all of this is just some kind of mistake/hoax)

Posted by
384 posts

Not sure if it's only in google ad network

I use either Startpage or DuckDuckGo, because they claim not to track the users. I also use an add-on to Firefox called U-Block Origin, which blocks a lot of stuff. I have Firefox set to block pop-ups. So I almost never see ads.

Quite a diabolical thing, hacking the adverts.... Thanks for posting this info.

Add Reply

Please do not reply to violations of our Community Guidelines.