Malvertising attackers add fake numbers to real sites

If you desperately need tech support, take a deep breath and make sure the number you’re looking for is where it should be.

A recent post from antimalware software provider Malwarebytes revealed that attackers are buying malicious ads that point to legitimate domains and phony tech-support numbers. The adversary’s tactic, which pastes phishy contacts into the real sites’ search bar, is almost too simple.

“The attack itself is technically not very sophisticated. You just have to test for which sites it works, for which ones it doesn’t, and then you buy Google ads for those that do. But the social engineering behind it is very clever,” Malwarebytes Senior Intelligence Reporter Pieter Arntz said.

Arntz, in the June 18 report, revealed how the “search parameter injection” works:

• A threat actor buys a sponsored Google ad that links to a legitimate host.
• The sponsored ad redirects to a search result containing a false phone number and a phrase like “emergency support.”
• The URL is written to automatically populate a search-bar query with the attacker’s phony tech-support line.
• The scammer on the line poses as the brand and tries to get the victim to send money or provide remote access to a computer.

Good news or ad news? Ad-security company GeoEdge, in its 2024 Ad Quality report, found a 10% year-over-year increase in malicious advertising, or malvertising; tech-support scams rose from 2% of attack vectors in 2023, to 4% in 2024.

The attack revealed by Malwarebytes is “quite devious,” according to Roger A. Grimes, data-driven defense evangelist for security-awareness training provider KnowBe4, given adversaries throw a tech-support number in your field of vision.

“When I’ve been needing help, I’m dying to see a phone number from a vendor,” Grimes told us. “They’re getting you to the real website, and then they’re throwing in your field of vision a tech support number. And I gotta say, it’s ingenious.”

What Google says. In a May 2025 post, Google says it has used large language models to improve its detection of “scammy pages.” The company’s classifiers, according to the report, use machine-learning algorithms to analyze linguistic patterns and thematic connections that might indicate coordinated scam campaigns.

Google’s misrepresentation policy lays out unacceptable business practices and states that violations will result in suspension of accounts and from advertising with Google ads.

“We have zero tolerance for scam ads. To stay ahead of scammers’ evolving tactics, we use advanced AI to detect abuse early and permanently suspend advertiser accounts for any scams that initially evade our enforcement,” Google spokesperson Nate Funkhouser shared in an emailed statement. When asked what the company is doing to address the specific threat revealed by Malwarebytes, Funkhouser said Google is enacting additional protection to combat the issue, but did not want to share specifics to prevent bad actors from gaming its systems.

Google says it blocked 5.1 billion bad ads in 2024.

Looking for the click fix. Malwarebytes, in its report, showed screenshots of the parameter-injecting tactic working for HP, Netflix, and Apple. IT Brew, testing the method shown in the screenshots on June 26, found that search-query text can still be retained in the URL for those three companies; none of the three companies responded to IT Brew’s request for comment, when asked about their concern for this kind of threat, and if they would add additional defensive measures to address it.

While Arntz encouraged siteowners to learn how their destinations handle search requests (many sites do not re-display search queries in the search bar), he says the responsibility lies with Google and vetting whether an ad buyer is associated with the company buying the ad.

“I just advise people not to click on sponsored ads anymore,” said Arntz. “That’s the best way to go.”