Search Hijacking: Cybercriminals Turn Google Ads into Tech Support Scam Portals

Malwarebytes has revealed how cybercriminals are leveraging fake Google search results to impersonate popular brands and trick users into tech support scams. The latest campaign targets users seeking customer support for giants like Apple, PayPal, Microsoft, Facebook, HP, Bank of America, and Netflix, exploiting both search engine ads and weaknesses in website search functionalities.

“Cybercriminals frequently use fake search engine listings to take advantage of our trust in popular brands, and then scam us,” Malwarebytes explains in its report.

The attack begins with a sponsored Google ad, where criminals pose as a trusted brand. Unlike conventional phishing sites, these links redirect users to the legitimate website’s help or support section—but with a sinister twist. The attackers inject a malicious search query into the URL, causing the legitimate site to display a fake support number embedded in the search results.

“Visitors are taken to the help/support section of the brand’s website, but instead of the genuine phone number, the hijackers display their scammy number instead,” Malwarebytes reports.

This creates a near-perfect illusion. The site URL appears authentic in the browser address bar, and the layout is indistinguishable from the real site—because it is the real site. Yet the contact information is false, carefully planted through search parameter injection, a technique that exploits the site’s failure to sanitize user inputs.

The crux of this attack is what Malwarebytes identifies as a reflected input vulnerability. The site—in this case, Netflix and others—blindly reflects whatever is passed into the search query without validation. This creates a perfect environment for “search hijacking”, where attackers control what is displayed in the results section.

“This is able to happen because Netflix’s search functionality blindly reflects whatever users put in the search query parameter without proper sanitization or validation,” Malwarebytes notes.

As a result, unsuspecting users might see a fraudulent phone number prominently displayed, leading them to call it under the impression they’re contacting official support.

The Malwarebytes team observed this tactic used against several high-profile brands like Netflix, PayPal, Apple, Microsoft,  Facebook, Bank of America, and HP. In each case, the malicious phone numbers were subtly embedded into legitimate-looking search result pages.

This technique is particularly effective for a few key reasons:

• Users see a legitimate URL in their browser.
• The page design and layout are identical to the real site.
• The fake number is embedded in what looks like an official result or error message.

Combined, these factors drastically reduce user suspicion.

Malwarebytes offers several practical tips to identify and avoid these scams:

• Be wary of phone numbers in the URL or search terms like “Call Now” or “Emergency Support.”
• Look for encoded characters (e.g., %20, %2B) near contact info in the URL.
• Don’t trust a support number unless you’ve confirmed it from a verified source, like a prior email or the company’s official social media.

Related Posts:

• Massive Scam Surge: Google Ads Fueling Fraud
• Google Products Exploited in Sophisticated Malvertising Scheme
• Netflix Phishing Scam: Even the Savviest Streamers Can Fall Victim