: ¡Cuidado! Time to double-check before entering your Microsoft creds
Cybersecurity experts are reporting a 19x increase in malicious campaigns being launched from .es domains, making it the third most common, behind only .com and .ru.
The .es top-level domain (TLD) is the domain reserved for the country of Spain, or websites targeting Spanish-speaking audiences.
Cofense said the abuse of the .es TLD started to pick up in January, and as of May, 1,373 subdomains were hosting malicious web pages on 447 .es base domains.
The researchers said that 99 percent of these were focused on credential phishing, while the other 1 percent were devoted to distributing remote access trojans (RATs) such as ConnectWise RAT, Dark Crystal, and XWorm.
The malware was distributed either via a C2 node or a malicious email spoofing a well-known brand (Microsoft in 95 percent of cases, unsurprisingly), so there was nothing overly novel about the campaigns themselves other than the TLD.
Emails seen in the wild tend to be themed around workplace matters such as HR requests or requests for the receipt of documents, for example, and the messages are often well-crafted, rather than low-effort one-liners.
The .es domains that host the malicious content, like the fake Microsoft sign-in portals, are in most cases randomly generated rather than crafted by a human. For potential targets, this potentially makes it easier to spot a lookalike/typosquat-style URL.
Some examples of the types of subdomains hosted on the .es base domains are as follows:
ag7sr[.]fjlabpkgcuo[.]es
gymi8[.]fwpzza[.]es
md6h60[.]hukqpeny[.]es
Shmkd[.]jlaancyfaw[.]es
As for why exactly the .es domain was proving so popular, Cofense did not venture any guesses. However, it said that aside from the top two most-abused TLDs (.com and .ru), the remainder tend to fluctuate from quarter-to-quarter.
Regardless, the general nature of the phishing campaigns experts observed over the past six months suggests dodgy .es websites could be here to stay.
Cofense said: "If one threat actor or threat actor group were taking advantage of .es TLD domains then it is likely that the brands spoofed in .es TLD campaigns would indicate certain preferences by the threat actors that would be different from general campaigns delivered by a wide variety of threat actors with varying motives, targets, and campaign quality.
"This was not observed, making it likely that abuse of .es TLD domains is becoming a common technique among a large group of threat actors rather than a few more specialized groups."
Despite having a population of just 1,400, until recently, Tokelau’s .tk domain had more users than any other country. Here’s why.
A threat actor that security researchers call Prolific Puma has been providing link shortening services to cybercriminals for at least four years while keeping a sufficiently low profile to operate undetected.
Let's have a look at the threats brought by introduction of .zip TLD
In the evolving cybersecurity landscape, understanding the phishing threat has become more critical than ever. Read into a new threat resulting from the addition of a new Top-Level Domain (TLD), '.ZIP'.
This article explores a phishing technique that emulates a file archiver software in the browser while using a .zip domain.
