Campaigns
Massive eBay Malvertising Attack Fuels Widespread Scams

Massive eBay Malvertising Attack Fuels Widespread Scams

googletech supportflurrygoogle chromebitbucketcallingguardprotect
Researchers have identified a major malvertising scheme targeting eBay users in the US. Tech support scammers are running deceptive Google ads designed to mimic real eBay customer service links. Clicking on these ads takes users to fake websites that encourage them to call for support, potentially exposing them to scams.

Indicators of Compromise

upbay.online
e-bay24x7-customers-services-assist.onrender.com
e-bay24x7pluscaresupport.bitbucket.io
e-bay24x7customer.casterins.online
e-bays-24x7support-number.vercel.app

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1113 - Screen Capture


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.

DS0009

Process

OS API Execution

Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.[1][2]. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.


T1176 - Browser Extensions


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for usage of the profiles tool, such as profiles install -type=configuration.

DS0022

File

File Creation

Monitor for newly constructed files and/or all installed extensions maintain a plist file in the /Library/Managed Preferences/username/ directory. Ensure all listed files are in alignment with approved extensions

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

DS0009

Process

Process Creation

Monitor for newly executed processes that could be used to abuse internet browser extensions to establish persistence.

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.

Observed Countries3

AU (630)
CA (765)
GB (970)