Threat Actors Poisoning Google Search Results to Display The Scammer’s Phone Number Instead of Real Number

In a concerning development for internet users, cybercriminals have devised a sophisticated new technique to manipulate Google search results, effectively poisoning them to display fraudulent contact information.

Unlike traditional phishing schemes that rely on fake websites, this novel approach leverages legitimate corporate websites while subtly altering displayed phone numbers, creating a nearly undetectable scam vector for unsuspecting users seeking support from major brands.

The scam begins when threat actors purchase sponsored advertisements on Google search results, mimicking official listings from prominent companies.

When users click these sponsored links, they are directed to the actual legitimate website of the company in question – not a fraudulent clone as typically seen in phishing attacks.

This crucial difference makes the scheme particularly insidious, as users have no visual indication that anything is amiss.

What makes this attack vector especially dangerous is the perfect illusion of legitimacy it creates.

Users observe the authentic URL in their browser’s address bar and interact with the genuine website’s interface and content.

However, unbeknownst to them, the search results have been manipulated to display the scammer’s phone number in place of the company’s legitimate contact information.

Malwarebytes researchers identified this emerging threat earlier this week, noting that when victims call these fraudulent numbers, they unwittingly connect with scammers posing as official customer support representatives.

“These tactics are remarkably effective because of the multiple layers of authenticity they present to potential victims,” explained Malwarebytes in their analysis published on June 18, 2025.

The impact of this technique extends beyond immediate financial fraud.

By gaining a victim’s trust through the appearance of legitimacy, scammers can extract sensitive personal information, payment details, or even convince users to grant remote access to their devices – potentially leading to ransomware installation, data theft, or persistent network compromise.

Technical Mechanism of Search Result Poisoning

The technical sophistication behind this attack reveals careful planning by threat actors.

Rather than employing traditional client-side browser manipulation or DNS hijacking, the scammers have identified vulnerabilities in how sponsored search results are rendered and displayed to users.

The attack chain begins with the creation of carefully crafted Google Ads campaigns that appear identical to legitimate brand advertisements.

When users click these sponsored links, they are indeed directed to the authentic website through a series of redirects that preserve the legitimate domain in the address bar.

However, during this redirect process, the scammers implement a subtle but effective parameter manipulation that influences how contact information appears within search result snippets.

This technique exploits the way search engines cache and display structured data, allowing the attackers to selectively override specific elements while maintaining the site’s overall authenticity.

This approach is particularly effective when targeting high-value services like Netflix, banking platforms, and technical support services where users commonly search for customer service numbers and may be prepared to share sensitive information to resolve account issues.

By understanding user behavior patterns and exploiting the implicit trust placed in both Google’s search results and legitimate corporate websites, the scammers have created a remarkably effective social engineering technique that bypasses many traditional security awareness training protocols.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial