The attack, technically classified as a search parameter injection attack, exploits vulnerabilities in website search functionalities to embed scammer-controlled contact information directly onto official company pages. This method proves particularly dangerous because victims see the authentic company URL in their browser address bar while unknowingly viewing malicious content, making the scam nearly impossible to detect without specialized security tools.

Here's how it works: Cybercriminals pay for a sponsored ad on Google pretending to be a major brand. Often, this ad leads people to a fake website. However, in the cases we recently found, the visitor is taken to the legitimate site with a small difference.

Visitors are taken to the help/support section of the brand's website, but instead of the genuine phone number, the hijackers display their scammy number instead.

The browser address bar will show that of the legitimate site and so there's no reason for suspicion. However, the information the visitor sees will be misleading, because the search results have been poisoned to display the scammer's number prominently in what looks like an official search result.

Once the number is called, the scammers will pose as the brand with the aim of getting their victim to hand over personal data or card details, or even allow remote access to their computer. In the case of Bank of America or PayPal, the scammers want access to their victim's financial account so they can empty it of money.

A technically more correct name for this type of attack would be a search parameter injection attack, because the scammer has crafted a malicious URL that embeds their own fake phone number into the genuine site's legitimate search functionality.