Not the Apple page you are looking for
“If I show it [webpage] For my parents, I don’t think they can say it’s fake. “When a user, if you click on these links, you’ll think, ‘Oh, I’m actually on the Apple website, Apple and Apple on the Apple website suggested this number. ””. ”
The unknown actor behind the scam first bought Google ads that appeared at the top of search results for Microsoft, Apple, HP, PayPal, Netflix and other sites. While Google only displays the site’s scheme and hostname, the ad links to (for example, https://www.microsoft.com) and the ad appends the parameters to the path to the right of that address. When the target clicks on the ad, it will open the page on the official website. The additional parameters then inject the fake phone number into the page seen by the target.
A fake phone number is injected into the Microsoft web page.
Credit: Malware
A fake phone number is injected into the Microsoft web page.
Credit: Malware
A fake phone number injected into an HP web page.
Credit: Malware
A fake phone number injected into an HP web page.
Credit: Malware
Google requires ads to show the official domains they link to, but the company allows parameters to be added to the invisible right. The scammer takes advantage of this by adding a string to the right of the hostname. An example:
/kb/index?page=search&q=☏☏Call%20Us%20%2B1-805-749-2108%20AppIe%20HeIpIine%2F%2F%2F%2F%2F%2F%2F&product=&doctype=¤tPage=1&includeArchived=false&locale=en_US&type=organic
These parameters are not shown in Google AD, so there is no obvious reason for the target to suspect anything is wrong. When clicked, the ad results in the correct hostname. However, the additional parameter injects a fake phone number into the page seen by the target. This technology is available on most browsers and on most websites. Malwarebytes.com has been affected by one of the most recent sites, when the site began filtering malicious parameters.
Forged numbers are injected into Apple pages.
Credit: Malware
Forged numbers are injected into Apple pages.
Credit: Malware
“If there is a security vulnerability here, it is when the URL is run, it executes a query against the Apple website, and the Apple website will not be sure that it is not a legitimate query,” Segura explained. “This is a pre-query asked by the scammer, but [the website is] Can’t figure it out. So they’re just spitting out any inquiry. ”
Segura said he has seen fraudsters abuse Google ads so far. It is not clear whether ads on other sites can be abused in a similar way.
While many goals will be able to recognize that the injected text is false, the trick may not be that obvious for people with visual impairment, cognitive decline, or just tired or rushed. When someone calls the injected phone number, they are connected to the fraudster, who is the representative of the company. The scammer can then trick the caller into handing over personal or payment card details, or allow remote access to their computer. Scammers claiming to be using with Bank of America or Paypal try to get the target’s financial account and run out of funds.
Malwarebytes’ browser security products now inform users of such scams. A more comprehensive preventive step is to never click on a link in Google ads, but instead click on a link in organic results where possible.
