Facebook, Netflix, Microsoft Hijacked to Insert Fake Phone Number

Summary
1. Scammers inject fake phone numbers into legitimate company websites (Netflix, Microsoft, Bank of America) using malicious URL parameters.
2. Cybercriminals buy Google ads leading to real websites with encoded URLs that exploit search vulnerabilities to display fraudulent contact information.
3. Victims see authentic company URLs and layouts, making fake numbers appear as official search results.
4. Avoid calling numbers found in URLs, and verify contact info through official channels.

A sophisticated scam operation targeting major American companies, including Netflix, Microsoft, and Bank of America, where attackers manipulate legitimate websites to display fraudulent phone numbers. 

The attack, technically classified as a search parameter injection attack, exploits vulnerabilities in website search functionalities to embed scammer-controlled contact information directly onto official company pages. 

This method proves particularly dangerous because victims see the authentic company URL in their browser address bar while unknowingly viewing malicious content, making the scam nearly impossible to detect without specialized security tools.

Search Parameter Injection Attack

Malwarebytes reports that the scammers orchestrate their attacks through a multi-step process beginning with sponsored search results on Google. 

Cybercriminals purchase advertisements that appear to represent legitimate brands, directing users to what appears to be official support pages. 

However, these links contain malicious URL parameters that exploit reflected input vulnerabilities in the target websites’ search functionality.

When victims click these poisoned links, they land on genuine company websites—Netflix, Microsoft, Bank of America, PayPal, Apple, Facebook, and HP—but with a crucial difference. 

The attackers craft URLs containing encoded characters like %20 (representing spaces) and %2B (representing plus signs) along with their fraudulent phone numbers. 

These parameters manipulate the site’s search results to prominently display the scammer’s contact information instead of legitimate support numbers.

The Netflix example demonstrates how attackers embed fake phone numbers directly into the search results display, making it appear as if the fraudulent number is an official search result from Netflix’s own system. 

This URL manipulation technique bypasses traditional security measures because the victim remains on the authentic website throughout the entire process.

The success of these attacks relies on websites’ failure to properly sanitize search query parameters. When users input search terms, many corporate websites simply reflect whatever data appears in the URL without adequate validation. 

This creates a reflected input vulnerability that scammers exploit to inject their malicious content.

The encoded characters in the URLs serve a dual purpose: they help bypass basic security filters while ensuring the malicious phone numbers display correctly on the target websites.

For instance, the %20 encoding allows spaces in phone numbers to render properly, while %2B ensures plus signs appear correctly in international phone number formats.

Users should watch for red flags, including phone numbers appearing in URLs, suspicious search terms like “Call Now” or “Emergency Support” in the browser address bar, and excessive encoded characters alongside phone numbers.

Before calling any support number found through search results, users should verify the contact information through official company communications or social media channels to ensure authenticity and avoid falling victim to these sophisticated scams.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar