Netflix, Apple, BofA websites hijacked with fake help-desk numbers

#### [Cyber-crime](/security/cyber_crime/)**6** Netflix, Apple, BofA websites hijacked with fake help-desk numbers==================================================================**6** Don’t trust mystery digits popping up in your search bar——————————————————–[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Fri 20 Jun 2025 // 21:10 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Netflix%2c%20Apple%2c%20BofA%20websites%20hijacked%20with%20fake%20help-desk%20numbers) [](https://twitter.com/intent/tweet?text=Netflix%2c%20Apple%2c%20BofA%20websites%20hijacked%20with%20fake%20help-desk%20numbers&url=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Netflix%2c%20Apple%2c%20BofA%20websites%20hijacked%20with%20fake%20help-desk%20numbers&summary=Don%e2%80%99t%20trust%20mystery%20digits%20popping%20up%20in%20your%20search%20bar) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Scammers are hijacking the search results of people needing 24/7 support from Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal in an attempt to trick victims into handing over personal or financial info, according to Malwarebytes senior director of research Jérôme Segura.It’s a variation of SEO or search poisoning, in which the attackers manipulate the search engine algorithms to promote what is usually a malicious website masquerading as the real deal. In this new scam, the fraudster pays for a sponsored ad on Google and crafts a malicious URL that embeds a fake phone number into the real site’s legitimate search functionality.Because the ad resolves to the authentic Netflix domain, reputation-based browser filters, such as Chrome’s Safe Browsing, won’t flag it as malicious. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aFaCy3Wu24qn3VKlCJRTawAAAdc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)When someone searches ’24/7 Netflix support,’ for example, the digital thieves’ ad pops up as one of the top results, and when the unwitting victim clicks on the URL, it takes them to the help page of the brand’s website. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aFaCy3Wu24qn3VKlCJRTawAAAdc&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0) ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aFaCy3Wu24qn3VKlCJRTawAAAdc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)The page looks real — because it is — but displays a phone number pre-populated in the search bar on that page. This purports to be the legitimate help-desk phone number, but in reality it’s a fake, controlled by the attackers.As the anti-malware security firm [explains](https://www.malwarebytes.com/blog/news/2025/06/scammers-hijack-websites-of-bank-of-america-netflix-microsoft-and-more-to-insert-fake-phone-number): This is able to happen because Netflix’s search functionality blindly reflects whatever users put in the search query parameter without proper sanitization or validation. This creates a reflected input vulnerability that scammers can exploit.The scam succeeds if victims don’t question why the search bar has a phone number pre-populated, and simply dial it up and start talking to the criminal on the other end of the line. Then, the scammer on the other end of the line attempts to convince them to hand over personal or financial account data, or to allow remote access to their computer. Next, they drain the victims’ online accounts and/or snoop around on their hijacked machine for additional info worth stealing — passwords, bank account numbers, sensitive files — before moving on to the next victim.* [Probe reveals previously secret Israeli spyware that infects targets via ads](https://www.theregister.com/2023/09/16/insanet_spyware/)* [DeepSeek installer or just malware in disguise? Click around and find out](https://www.theregister.com/2025/06/11/deepseek_installer_or_infostealing_malware/)* [Minecraft cheaters never win … but they may get malware](https://www.theregister.com/2025/06/18/minecraft_mod_malware/)* [Looks like Aflac is the latest insurance giant snagged in Scattered Spider’s web](https://www.theregister.com/2025/06/20/aflac_scattered_spider/)Malwarebytes did not immediately answer a question about how many people it thinks actually fell for these scams. Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal did not immediately respond to *The Register*’s requests for comment. We will update this story if we receive responses.Being a security firm, Malwarebytes naturally wants people to buy their product to protect against this type of scam, which it does by displaying a warning that a search hijacking has been detected and a message: ‘We’ve detected unauthorized changes to your search results, a scammer may be trying to trick you by overlaying their phone number on a trusted website’. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aFaCy3Wu24qn3VKlCJRTawAAAdc&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)The vendor does, however, provide some valuable tips on how to avoid falling victim, and suggests keeping an eye out for details such as a phone number in the URL, and suspicious search terms like ‘call now’ or ’emergency support’ in the address bar of the browser.Plus, a long list of encoded characters like the %20 (space) and %2B (+ sign) in addition to phone numbers is a big red flag. Most important, keep in mind that legitimate help desks are not going to ask for your username and password, or your bank account number, so don’t hand those over because someone on the other end of the line wants that information. ® [Sponsored: 6 questions every Board should ask its CISO](https://go.theregister.com/tl/3156/shttps://go.theregister.com/k/6_questions_CISO) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Netflix%2c%20Apple%2c%20BofA%20websites%20hijacked%20with%20fake%20help-desk%20numbers) [](https://twitter.com/intent/tweet?text=Netflix%2c%20Apple%2c%20BofA%20websites%20hijacked%20with%20fake%20help-desk%20numbers&url=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Netflix%2c%20Apple%2c%20BofA%20websites%20hijacked%20with%20fake%20help-desk%20numbers&summary=Don%e2%80%99t%20trust%20mystery%20digits%20popping%20up%20in%20your%20search%20bar) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Cybercrime](/Tag/Cybercrime/)* [Fraud](/Tag/Fraud/)* [Malwarebytes](/Tag/Malwarebytes/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Fraud](/Tag/Fraud/)* [Malwarebytes](/Tag/Malwarebytes/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Netflix%2c%20Apple%2c%20BofA%20websites%20hijacked%20with%20fake%20help-desk%20numbers) [](https://twitter.com/intent/tweet?text=Netflix%2c%20Apple%2c%20BofA%20websites%20hijacked%20with%20fake%20help-desk%20numbers&url=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Netflix%2c%20Apple%2c%20BofA%20websites%20hijacked%20with%20fake%20help-desk%20numbers&summary=Don%e2%80%99t%20trust%20mystery%20digits%20popping%20up%20in%20your%20search%20bar) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/06/20/netflix_apple_bofa_websites_hijacked/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **6** COMMENTS #### More about* [Cybercrime](/Tag/Cybercrime/)* [Fraud](/Tag/Fraud/)* [Malwarebytes](/Tag/Malwarebytes/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Fraud](/Tag/Fraud/)* [Malwarebytes](/Tag/Malwarebytes/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Trump guts digital ID rules, claims they help ‘illegal aliens’ commit fraudAlso axes secure software mandates – optional is the new secure, apparentlySecurity11 days -| 66](/2025/06/10/trump_cybersecurity_eo_digital_ids/?td=keepreading) [#### Enterprises are getting stuck in AI pilot hell, say Chatterbox Labs execsInterview Security, not model performance, is what’s stalling adoptionAI + ML13 days -| 30](/2025/06/08/chatterbox_labs_ai_adoption/?td=keepreading) [#### CISO who helped unmask Badbox warns: Version 3 is comingThe botnet’s still alive and evolvingCyber-crime10 days -|](/2025/06/11/badbox_round_three/?td=keepreading) [#### AI and virtualization are two major headaches for CIOs. Can storage help solve them both?It’s about evolution not revolution, says LenovoSponsored feature](/2025/05/22/lenovo_ai_virtualization_headaches/?td=keepreading) [#### Looks like Aflac is the latest insurance giant snagged in Scattered Spider’s webIf it looks like a duck and walks like a duck…Cyber-crime16 hrs -| 1](/2025/06/20/aflac_scattered_spider/?td=keepreading) [#### Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgsSentinelOne discovered the campaign when they tried to hit the security vendor’s own serversResearch12 days -| 17](/2025/06/09/china_malware_flip_switch_sentinelone/?td=keepreading) [#### AWS locks down cloud security, hits 100% MFA enforcement for root usersPlus adds a ton more security capabilities for cloud customers at re:InforceSecurity4 days -| 1](/2025/06/17/aws_enforces_mfa_root_users/?td=keepreading) [#### DeepSeek installer or just malware in disguise? Click around and find out’BrowserVenom’ is pure poisonCyber-crime9 days -| 5](/2025/06/11/deepseek_installer_or_infostealing_malware/?td=keepreading) [#### Teens used encrypted chats to recruit for ‘violence as a service’ murder ring, Europol saysSkull emoji knife emoji moneybag emojiOffbeat52 mins -| 1](/2025/06/21/teen_arrested_murder_for_hire/?td=keepreading) [#### Sneaky Serpentine#Cloud slithers through Cloudflare tunnels to inject orgs with Python-based malwarePhishing, Python and RATs, oh myCyber-crime2 days -| 2](/2025/06/19/sneaky_serpentinecloud_slithers_through_cloudflare/?td=keepreading) [#### Scattered Spider has moved from retail to insuranceGoogle threat analysts warn the team behind the Marks -& Spencer break-in has moved onCyber-crime5 days -|](/2025/06/16/scattered_spider_targets_insurance_firms/?td=keepreading) [#### Ransomware scum disrupted utility services with SimpleHelp attacksGood news: The vendor patched the flaw in January. Bad news: Not everyone got the memoCyber-crime8 days -| 1](/2025/06/12/cisa_simplehelp_flaw_exploit_warning/?td=keepreading)

Related Tags:
NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 52 – Finance And Insurance

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 516 – Broadcasting And Content Providers

NAICS: 522 – Credit Intermediation And Related Activities

NAICS: 51 – Information

Sodinokibi

REvil

Sodin

Associated Indicators:

Threat Intel Solutions

Netflix, Apple, BofA websites hijacked with fake help-desk numbers

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us