Netflix, Apple, BofA websites hijacked with fake help-desk numbers Scammers are hijacking the search results of people needing 24/7 support from Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal in an attempt to trick victims into handing over personal or financial info, according to Malwarebytes senior director of research Jérôme Segura. It's a variation of SEO or search …
and they are so busy adding new unwanted features and enshittifications.
Who wudda thunk that some perp would have prepopulated a form field with some scammy data? Obviously not the brilliant tech guys (and gals).
Hire some more people that think like the scammers. But you don't need to - they already make plenty of moolah - tax free.
> Who wudda thunk that some perp would have prepopulated a form field with some scammy data? Obviously not the brilliant tech guys (and gals).
Yeah none of those websites should have let the search box be prepopulated.
Only totally incompetent web developer would ever let that slip.
> You'd have to be a special kind of not-very-computer-savvy to fall for that though
Which is precisely who the scammers are targeting, as TFA describes:
>> crafts a malicious URL that embeds a fake phone number into the real site's legitimate search functionality.
You may look down on the people being scammed as "a special kind of..." but not everybody has your superior set of analytical skills.
This new development is horrible and makes ad blockers even more important.
All year long, I help IT clients, including people who fall for scams. Criminals easily abuse automated ad systems.
Ad blockers in browsers are now the #1 protection against scams. uBlock Origin full version (Manifest v2) is the best but Chrome doesn’t allow it any more, just weaker Manifest v3-based ad blockers, including weaker uBlock Origin Lite, which recently failed to block an airline imposter ad that brutalized a client.
So I’ve been replacing Chrome with Brave, which is Chromium-based and has its own ad blocking in feature and also allows Manifest v2 ad blockers like the full version of uBlock Origin. Firefox also still allows Manifest v2 ad blockers, including the full version of uBlock Origin.
Additionally, I’ve been switching browser search engines from Google to brave or duckduckgo or perplexity.
Just this week I cleaned up a Windows PC and Mac after their owners gave remote access to scammers who tricked clients with sponsored search results ads.
Over a year ago, a new client called me after losing $48k USD to a scammer impersonating his bank. He never got his money back.
For iOS, I recommend Brave browser. For Safari, the free version of AdGuard.
F--cking Google Maps can't even show 24hr restaurants when I explicitly search for that, why should I expect sites TO ACTUALLY WORK?
It shows hotels, gas stations, and convenience stores, which are NOT restaurants, but does not show IHOP, Waffle House, Denny's and Steak'n'Shake restaurants that ARE 24 hour sit-down restaurants. And I'm talking about the "search results" list, not what's shown in the map.
Google Maps has also stopped showing many full addresses in even vaguely the right place.
I've found that it's often completely ignoring minor details like the name of the town or the postcode, and instead picking something entirely different.
Usually something that doesn't even exist, sometimes even on the other side of the world.
It feels like they've started using AI.
"Google Maps has also stopped showing many full addresses in even vaguely the right place."
I'm sure it you sign up for the soon to be released "premium service", you'll get a much better "experience". Using a Google App will also get you better results (with your privacy as the payment).
...whatever users put in the search query parameter without proper sanitization or validation. This creates a reflected input vulnerability that scammers can exploit.
Okay, I'll bite. Especially as the ability to search on Netflix is, apparently the result of
>> they are so busy adding new unwanted features and enshittifications
(to quote elDog's comment and the general feeling expressed by others, above, that these websites are all varying shades of rubbish):
Do you *not* want to be able to search Netflix[1]?
Or not want to ever be able be able to search Netflix by sticking the search term into the URL (to try again later - "have they released that show yet?" - or send to a friend or stick into another web page - "see the list of all the shows on Netflix that deal with cucumbers, just click here")?
Assuming you do like a search function, just what form is this "proper sanitization or validation" supposed to look like? We aren't talking about SQL Injection here, just an English[2] phrase - it may even be grammatically correct! - so just what is there to be sanitised or even validated?
Is it non valid to search for the TV show "Helpline"? Or "90210"? Or any other 'phone number they may name a show after?[3] if we move away from Netflix, putting a search for a phone number into BofA is surely a good thing to ("please search and tell me if this is your bank's helpline").
Yes, plenty of websites have plenty of horrid features - and it is a total bugger when anything can be used for scamming - but once the comments here have stopped complaining that this is an example of the websites "not working"[4] - how about we look at what is actually described as happening - and whether the claims being made by Malwarebytes, that Netflix et al are the root problem, are valid.
BTW an ad blocker - IFF it can scrub away Google paid ads (or if it can stop you using any search that delivers ads mixed in with legit results) - will help, but don't miss the point that the "malicious URL" could be inserted anywhere; using ads, and using them to deliver fake help line numbers, is the scammers going for the low-hanging fruit. That is the best kind of fruit, from the scammers' pov, of course, but if they can get these phoney phone URLs into some other place...
[1] to stick to the example given in TFA for the moment
[2] you may be scammed in other languages
[3] not forgetting that the input is from an avid watcher of teen drama whose addled brain may not recall that it is named only after the area code, so put in the full number given for that character in the one episode - i.e. the user can put anything in there, you can't filter on "that is too real a phone number".
[4] it is a pre-populated search box - if you clicked the button or just typed a RETURN character after the scammer's text, the site will - do a search! And maybe return a useful page, like the actual helpline phone number.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
