Threat actors usually ride on a brand’s popularity to make phishing campaigns believable. A common approach involves registering typosquatting domains that closely resemble those of the legitimate owners. Yet monitoring typosquatting domains may just be the tip of the iceberg in the fight against phishing.

Organizations should also stay on the lookout for subdomains that contain their brand names, as these could be used to tarnish their image. To illustrate, we compiled a list of 4,330 subdomains that contain the string “eBay” and analyzed them. Below are our key findings.

1. Malicious Lookalike Subdomains

eBay is one of the most spoofed brands in the world. Take the phishing email below as an example. It asks users to update their account information or face account suspension.

Note the URL that starts with the subdomain “signin.ebay,” which is consistent with the e-commerce website’s login page shown below.

In our sample, we found 77 subdomains that start with “signin.ebay,” which could prompt users to attempt to sign in and reveal their credentials in the process. Some of the subdomains were tagged “malicious” by multiple engines on VirusTotal.

• signin[.]ebay[.]de-ws[.]itm2108445557[.]icu
• signin[.]ebay[.]de-ws[.]1i1i[.]icu
• signin[.]ebay[.]co[.]uk-wsebayisapidllsigninrucpsess431608060754354[.]chidospr[.]com
• signin[.]ebay[.]co[.]uk[.]ebayisapi[.]dll[.]permakultur[.]jetzt

Other commonly found words in the subdomains (along with “eBay”) include:

• mail
• payment
• secure
• online
• reply
• store
• shop

2. Majority of the Subdomains Are Not Owned by eBay

Of the 4,330 subdomains, only 681 or 17% appeared to be owned by eBay. These include subdomains that use the following eBay-owned domains (that is, domains whose WHOIS records indicate eBay, Inc. as registrant company):

• ebay[.]com (627 subdomains)
• ebay[.]co[.]uk (11 subdomains)
• ebay[.]com[.]au (10 subdomains)
• ebay[.]co[.]kr (7 subdomains)
• ebay[.]com[.]hk (6 subdomains)

Other domains owned by eBay, such as ebay[.]us and ebay[.]jp, are not found on the list. The rest of the subdomains, on the other hand, only contain the word “eBay” but use unrelated root domains likely owned by someone else. Some examples are:

• pctdev1[.]corp[.]ebay[.]com[.]secure-log[.]in
• payments[.]www[.]ebay[.]com[.]breakpoint[.]xyz
• signin[.]ebay[.]it[.]izarbrokers[.]com
• signin[.]ebay[.]com[.]ws[.]ebayisapi[.]dll[.]signin[.]mcleodsorganicfertiliser[.]com
• signin[.]ebay[.]it[.]ahqfood[.]com
• www[.]signin[.]ebay[.]it[.]beach420[.]com # 3. Dedicated versus Shared IP Addresses and eBay Ownership

Another finding is that eBay’s subdomains resolve to dedicated IP addresses, while the lookalikes point to shared ones. For instance, below are 25 subdomains not owned by eBay along with the IP addresses they resolved to and the number of domains and subdomains that shared them.

By contrast, legitimate eBay subdomains, as revealed by Subdomains Lookup, only share IP addresses with other eBay subdomains.

To illustrate, consider the subdomain payments[.]ebay[.]es[.]g[.]ebay[.]com. On 21 August, it resolved to 66[.]135[.]204[.]244, 66[.]211[.]185[.]22, and 66[.]211[.]185[.]28. A reverse IP lookup tells us that these IP addresses are not associated with non-eBay-owned domains. Below are other subdomains owned by eBay with the number of domains that use their IP addresses.

This case study on subdomains that contain the word “eBay” shows that threat actors are likely to abuse subdomains and even use them maliciously as part of phishing and other schemes. As such, performing subdomain lookups and other audits could be a vital part of a company’s brand protection strategies.