How does search parameter injection work?

Search parameter injection exploits how websites implement search functionality. By crafting URLs that embed fraudulent contact information directly into legitimate search parameters (like https://legitimate-company.com/search?q=Call%20Now%20555123456), scammers cause authentic websites to display fake phone numbers prominently, creating an illusion of legitimacy.

What are the two main attack vectors for this scam?

The scam uses two attack vectors: 1) Sponsored advertisements on Google Search where criminals purchase ad placements impersonating major brands seeking technical support services, appearing at the top of search results. 2) Phishing emails with fake invoices or alerts containing links to legitimate support sites with fake call center numbers embedded as search parameters.

Why is this scam particularly effective?

This scam is particularly effective because victims are led to legitimate company websites where they see fraudulent phone numbers displayed prominently. Since the fake numbers appear on authentic websites, victims are much more likely to trust and call them, believing they're contacting the real company for support.

What information do scammers try to obtain when victims call?

Once victims call the scammer call center, they are asked for personal identification details (names, addresses, Social Security numbers), financial account information (credit cards, banking details), login credentials for online services, authorization for remote computer access through screen-sharing software, and payment authorization for fraudulent services or software purchases.

How can users identify search parameter injection scam links?

Users should check the text in the address bar/link for red flags. Phone numbers appearing in website URLs are suspicious, as legitimate websites typically do not embed contact information directly in URLs. Terms implying urgency such as 'Call Now' or 'Emergency Support' in the address bar or search page are also warning signs.

What role do Google ads play in this scam campaign?

Criminals purchase sponsored advertisements through Google's ad platform, creating advertisements that impersonate major brands seeking technical support services. Since sponsored ads appear at the top of search results for customer support queries, victims are very likely to click on them, leading to legitimate websites displaying fraudulent contact information.

How can users protect themselves from search parameter injection scams?

Users should check URLs for embedded phone numbers, avoid clicking on suspicious search results or ads, install ad blockers like Ublock Origin to remove Google ads, don't trust unexpected emails with support links, and always verify contact information through official company websites by navigating there independently rather than clicking provided links.

Why are financial services customers at higher risk?

Users of financial services companies including Bank of America and PayPal are at very high risk because successful scams targeting their platforms can lead directly to financial losses for victims. Scammers can obtain banking credentials, credit card information, and authorization for fraudulent transactions when impersonating financial institutions.

What should users do if they suspect they've encountered this scam?

If users suspect they've encountered this scam, they should not call any phone numbers displayed through search parameters, navigate directly to the official company website to find legitimate contact information, report suspicious ads or emails to the platforms hosting them, and if they've already provided information to scammers, immediately change passwords, contact their banks, and monitor accounts for unauthorized activity.

What makes this attack particularly sophisticated compared to traditional tech support scams?

This attack is sophisticated because it exploits legitimate website functionality to display fraudulent information, making the scam appear completely authentic. Unlike traditional scams that rely on fake websites or obvious impersonation, this technique uses real company websites to display fake contact information, significantly increasing victim trust and the likelihood of successful social engineering. The combination of legitimate websites, Google ad manipulation, and technical exploitation of search parameters creates a highly credible deception that's difficult for average users to detect.

Scam/Phishing

Scammers use search forms to display fraudulent contact numbers on Apple, HP, Netflix and others

Q: Which companies are being targeted by this search parameter injection scam?

Confirmed targets include at least Apple, HP, and Netflix, but may contain many others. Users of financial services companies including Bank of America and PayPal are at very high risk from these attacks, as successful scams targeting their platforms can lead directly to financial losses for victims.

published: June 24, 2025

Take action: Never call phone numbers that appear embedded in website URLs or search results, as scammers inject fake contact info into legitimate sites to appear trustworthy. Always verify support numbers by visiting the company's official website directly or checking your official account dashboard, never through search results or email links.

Learn More

Cybersecurity researchers have detected a tech support scam campaign that exploits search parameter injection vulnerabilities to show fraudulent phone numbers on the legitimate websites of major technology and financial companies.

This way criminals use legitimate web pages of brands to scam victims into calling a scam call center, to then be persuaded to give personal data, credit card numbers, and install malware on their computers.

The technique, is called search parameter injection, and exploits the mechanism in which many websites implement the search functionality. The search functionality can be run in one of two ways:

By entering the search string in the form, and pressing search
By making a URL link that will contain the search string like https://legitimate-company.com/search?q=Call%20Now%20555123456

In both cases, the searched string is shown in the search box with any results below.

By crafting an URLs that embeds fraudulent contact information directly into legitimate search parameters, scammers cause authentic websites to display fake phone numbers prominently and an illusion of legitimacy that significantly increases the likelihood of successful victim engagement.

The scam campaign can have one of two attack vectors

Sponsored advertisements on Google Search in which criminals purchase advertising placements through Google's ad platform, creating advertisements that impersonate major brands seeking technical support services. Since sponsored ads appear at the top of search results for queries related to customer support, it's very probable that the victims will click on them.
Phishing emails with fake invoices or alerts of abuse, warnings of cancellation etc. The email contains a link to a valid legitimate support site, with the fake call center as a search parameter in the link.

In both cases, victims are led to the legitimate site, but the first thing they see is a number for them to call. And it's very probable that they call it, since it's displayed on the legitimate site.

Confirmed targets include at least Apple, HP and Netflix but may contain many others.

Users of financial services companies including Bank of America and PayPal are at very high risk from these attacks, as successful scams targeting their platforms can lead directly to financial losses for victims.

Once a victim calls the scammer call center, they are asked for:

Personal identification details such as names, addresses, dates of birth, and Social Security numbers
Financial account information including credit card numbers, banking details, and online account credentials
Login credentials for online services, email accounts, and social media platforms
Authorization for remote computer access through screen-sharing software
Payment authorization for fraudulent services or software purchases

In cases involving technology companies like Apple, Microsoft, or Netflix, scammers typically focus on convincing victims to purchase unnecessary software or services, provide remote access to their computers for alleged malware removal, or surrender login credentials for account takeover attempts.

How to stay safe?

Check the text in the address bar/link - Phone numbers appearing in website URLs are a red flag, as legitimate websites typically do not embed contact information directly in URL / Link
Don't fall for the implied urgency - Terms that imply urgency such as "Call Now" or "Emergency Support" in the address bar or on a search page is also not expected
Install AdBlocker - google ads are removed if you install an ad blocker, removing the chance of the user seeing the advertised scam link. Install Ublock Origin, Ublock Lite and Privacy Badger on ALL browsers, and don't use Chrome (chrome blocks adblockers because google earns money from ads)
As usual, don't trust ANY unexpected emails and don't click links od call numbers from unexpected emails.

Scammers use search forms to display fraudulent contact numbers on Apple, HP, Netflix and others

Read More
One more attampt at "you have a delivery" …
WhatsApp users targeted in account takeover attack dubbed …
Active "ex-partner left you money" advance fee scam
Complex phishing campaign impersonating Macedonian Post, stealing personal …
Parcel delivery scam using Android group messages