Browser-based scam that originates in Google ads
I’m obsessive about developer tooling, APIs, and libraries, especially where ecosystems get messy and opinions collide. Past experiences give me a deep appreciation for practical solutions over perfect ones. I’m rarely short on curiosity or energy for the next challenge and thrive in kitchen-sink roles where systems, tools, and people intersect.
I’m currently a Principal Program Manager at Microsoft, working on SQL developer tools and database DevOps experiences. Throughout my career I’ve led IT for a small business, taught college courses, and worked as both a developer and researcher. I completed a MS in chemistry (2011, University of Minnesota) and a MS in computer science (2022, Georgia Tech).
Google “search results” ads purchased by malicious actors point to the legitimate websites of big name companies, but with use of those websites’ content handling techniques (query strings) to add additional content to the page. You land on the real website, but the search bar is filled with “CALL NOW FOR HELP 1-800-123-4567”
The summary is a bit sensationalized, since “hijack” makes it sound like the malicious actors have complete control of the car. This is more akin to if they’ve just slapped a bumper sticker on it with their information before walking away. Dangerous and bad, still yes.
Technically, the buck stops at the website of the company to protect itself from being used in harmful ways against its users. Savvy users will likely pick up on these being scams, but even smart people have urgent moments where they’re drawn in by the very scam techniques they’ve learned to notice. Do you lock your search results pages down to internal referrers? Do you block google.com search results from your search results pages?
Query strings are really convenient ways to pass small amounts of information between pages. The question mark + q + equals sign is synonymous with looking for something on a website. Will this campaign through Google ads serve as a driver to move web technology off of query strings? I’ll be honest, adding cookies in GET requests or switching to multi-request sequences are both non-optimal solutions. I’m glad someone smarter than me can sort it out.
Speaking of Google ads… they’re complicit here too. Can Google avoid serving these ads? Sure, with a similar amount of technical difficulty as the websites detecting fraudulent use but they’re not using industry standard tech. Google is cultivating the breeding ground for implicit trust in their quest for monetization of the search results. The betrayal in the search results is that the ads continue to become disguised as organic search results. How far down the page do I need to scroll before I can start trusting the links and page summaries?
Malware bytes takes the time to mention their browser extension that can detect scams on websites, but frankly - they could offer detection services (for a cost) to Google before they further erode trust in the ads in their search results.
More on this from Ars: https://arstechnica.com/security/2025/06/tech-support-scammers-inject-malicious-phone-numbers-into-big-name-websites/
