Keypoints
- Fraudulent Google ads impersonating eBay target U.S. customers searching for eBay support.
- Some ads misuse eBay branding and a developer subdomain (developer.ebay.com) to appear legitimate.
- Clicking the ads redirects victims to fake pages hosted on various cloud providers that display bogus phone numbers.
- Victims who call the displayed numbers risk being scammed via remote access, gift card requests, or account takeover.
- Malwarebytes reported the malicious ads to Google and is monitoring for similar campaigns against other brands.
- Users should verify contact info on ebay.com and consider ad-blocking/phishing-blocking tools like Malwarebytes Browser Guard.
MITRE Techniques
- [T1566] Phishing – Scammers use deceptive ads to lure victims into providing personal information. (‘Scammers use deceptive ads to lure victims into providing personal information.’)
- [T1003] Credential Dumping – Scammers may attempt to gain access to user accounts by tricking victims into revealing their credentials. (‘Scammers may attempt to gain access to user accounts by tricking victims into revealing their credentials.’)
- [T1190] Exploitation of Public-Facing Applications – Fraudulent ads exploit eBay’s brand to mislead users into visiting malicious sites. (‘Fraudulent ads exploit eBay’s brand to mislead users into visiting malicious sites.’)
- [T1203] Social Engineering – Scammers manipulate victims into calling fake support numbers through misleading advertisements. (‘Scammers manipulate victims into calling fake support numbers through misleading advertisements.’)
Indicators of Compromise
- [Domains] Fake support pages and redirects – e-bays-24x7support-number[.]vercel[.]app, developer[.]ebay[.]com, and 4 more domains.
- [Phone numbers] Fraudulent customer service numbers shown on fake pages – 1[-]866[-]409[-]9281, 1[-]833[-]714[-]3970, and 1 more number.
Tech support scammers are exploiting Google Search ads to impersonate eBay and trick U.S. customers into calling fake support lines. They craft sponsored ads that appear to belong to eBay—sometimes even using a developer subdomain like developer.ebay.com—to pass basic validation checks, then redirect clicks to pages that prominently display bogus phone numbers.
These landing pages are hosted across various cloud platforms and are designed to look like search results or official support pages. The goal is to prompt calls to overseas call centers where fraudsters use social engineering to obtain remote access, request gift cards, or steal account and banking information.
To stay safe, always verify contact details directly on ebay.com or through official communications rather than relying on ads or unsolicited messages. Consider using ad- and phishing-blocking tools such as Malwarebytes Browser Guard, and report suspicious ads to the platform (Google) so they can be removed.
Read more: https://www.malwarebytes.com/blog/scams/2024/11/large-ebay-malvertising-campaign-leads-to-scams