: ¡Cuidado! Time to double-check before entering your Microsoft creds
Cybersecurity experts are reporting a 19x increase in malicious campaigns being launched from .es domains, making it the third most common, behind only .com and .ru.
The .es top-level domain (TLD) is the domain reserved for the country of Spain, or websites targeting Spanish-speaking audiences.
Cofense said the abuse of the .es TLD started to pick up in January, and as of May, 1,373 subdomains were hosting malicious web pages on 447 .es base domains.
The researchers said that 99 percent of these were focused on credential phishing, while the other 1 percent were devoted to distributing remote access trojans (RATs) such as ConnectWise RAT, Dark Crystal, and XWorm.
The malware was distributed either via a C2 node or a malicious email spoofing a well-known brand (Microsoft in 95 percent of cases, unsurprisingly), so there was nothing overly novel about the campaigns themselves other than the TLD.
Emails seen in the wild tend to be themed around workplace matters such as HR requests or requests for the receipt of documents, for example, and the messages are often well-crafted, rather than low-effort one-liners.
The .es domains that host the malicious content, like the fake Microsoft sign-in portals, are in most cases randomly generated rather than crafted by a human. For potential targets, this potentially makes it easier to spot a lookalike/typosquat-style URL.
Some examples of the types of subdomains hosted on the .es base domains are as follows:
ag7sr[.]fjlabpkgcuo[.]es
gymi8[.]fwpzza[.]es
md6h60[.]hukqpeny[.]es
Shmkd[.]jlaancyfaw[.]es
As for why exactly the .es domain was proving so popular, Cofense did not venture any guesses. However, it said that aside from the top two most-abused TLDs (.com and .ru), the remainder tend to fluctuate from quarter-to-quarter.
Regardless, the general nature of the phishing campaigns experts observed over the past six months suggests dodgy .es websites could be here to stay.
Cofense said: "If one threat actor or threat actor group were taking advantage of .es TLD domains then it is likely that the brands spoofed in .es TLD campaigns would indicate certain preferences by the threat actors that would be different from general campaigns delivered by a wide variety of threat actors with varying motives, targets, and campaign quality.
"This was not observed, making it likely that abuse of .es TLD domains is becoming a common technique among a large group of threat actors rather than a few more specialized groups."
Don’t trust mystery digits popping up in your search bar
Scammers are hijacking the search results of people needing 24/7 support from Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal in an attempt to trick victims into handing over personal or financial info, according to Malwarebytes senior director of research Jérôme Segura.
It's a variation of SEO or search poisoning, in which the attackers manipulate the search engine algorithms to promote what is usually a malicious website masquerading as the real deal. In this new scam, the fraudster pays for a sponsored ad on Google and crafts a malicious URL that embeds a fake phone number into the real site's legitimate search functionality.
Because the ad resolves to the authentic Netflix domain, reputation-based browser filters, such as Chrome's Safe Browsing, won't flag it as malicious.
When someone searches "24/7 Netflix support," for example, the digital thieves' ad pops up as one of the top results, and when the unwitting victim clicks on the URL, it takes them to the help page of the brand's website.
The page looks real — because it is — but displays a phone number pre-populated in the search bar on that page. This purports to be the legitimate help-desk phone number, but in reality it's a fake, controlled by the attackers.
As the anti-malware security firm explains:
This is able to happen because Netflix's search functionality blindly reflects whatever users put in the search query parameter without proper sanitization or validation. This creates a reflected input vulnerability that scammers can exploit.
Suspected cybercriminals have created a fake installer for Chinese AI model DeepSeek-R1 and loaded it with previously unknown malware called "BrowserVenom".
The malware’s name reflects its ability to redirect all traffic from browsers through an attacker-controlled server.
This enables the crooks to steal data, monitor browsing activity, and potentially expose plaintext traffic. Credentials for websites, session cookies, financial account info, plus sensitive emails and documents are therefore all at risk – just the sort of info scammers seek so they can commit digital fraud and/or sell to other miscreants.
To date, the malware has infected "multiple" computers across Brazil, Cuba, Mexico, India, Nepal, South Africa, and Egypt. Kaspersky, which spotted a phishing campaign that spreads the malware by sending victims to a fake website that resembles the real DeepSeek homepage, said it continues to "pose a global threat.”
While the malware used in this campaign is new, the tactic of using interest in AI to spread nasty payloads is increasingly common.
Such campaigns use phishing sites whose domain names differ slightly from those operated by real AI vendors, and criminals use malicious ads and other tactics, so they appear prominently in search engine results. But instead of delivering the promised chatbot or AI tool, they infect unwitting victims with everything from credential- and wallet-stealing malware to ransomware and Windows-borking code.
This campaign used the URL https[:]//deepseek-platform[.]com.
The crims promoted that address to many potential victims by buying ads from Google, so it appeared as the top result when users searched for "deepseek r1".
The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems.
As of Tuesday, the full-fledged version of the website is up and running.
"The EU is now equipped with an essential tool designed to substantially improve the management of vulnerabilities and the risks associated with it," ENISA Executive Director Juhan Lepassaar said in a statement announcing the EUVD.
"The database ensures transparency to all users of the affected ICT products and services and will stand as an efficient source of information to find mitigation measures," Lepassaar continued.
The European Union Agency for Cybersecurity (ENISA) first announced the project in June 2024 under a mandate from the EU's Network and Information Security 2 Directive, and quietly rolled out a limited-access beta version last month during a period of uncertainty surrounding the United States' Common Vulnerabilities and Exposures (CVE) program.
Register readers — especially those tasked with vulnerability management — will recall that the US government's funding for the CVE program was set to expire in April until the US Cybersecurity and Infrastructure Security Agency, aka CISA, swooped in at the 11th hour and renewed the contract with MITRE to operate the initiative.
RSAC: Can we turn to govt, academic models instead?
Corporate AI models are already skewed to serve their makers' interests, and unless governments and academia step up to build transparent alternatives, the tech risks becoming just another tool for commercial manipulation.
That's according to cryptography and privacy guru Bruce Schneier, who spoke to The Register last week following a keynote speech at the RSA Conference in San Francisco.
"I worry that it'll be like search engines, which you use as if they are neutral third parties but are actually trying to manipulate you. They try to kind of get you to visit the websites of the advertisers," he told us. "It's integrity that we really need to think about, integrity as a security property and how it works with AI."
During his RSA keynote, Schneier asked: "Did your chatbot recommend a particular airline or hotel because it's the best deal for you, or because the AI company got a kickback from those companies?"
To deal with this quandary, Schneier proposes that governments should start taking a more hands-on stance in regulating AI, forcing model developers to be more open about the information they receive, and how the decisions models make are conceived.
He praised the EU AI Act, noting that it provides a mechanism to adapt the law as technology evolves, though he acknowledged there are teething problems. The legislation, which entered into force in August 2024, introduces phased requirements based on the risk level of AI systems. Companies deploying high-risk AI must maintain technical documentation, conduct risk assessments, and ensure transparency around how their models are built and how decisions are made.
Because the EU is the world's largest trading bloc, the law is expected to have a significant impact on any company wanting to do business there, he opined. This could push other regions toward similar regulation, though he added that in the US, meaningful legislative movement remains unlikely under the current administration.
CA/Browser Forum – a central body of web browser makers, security certificate issuers, and friends – has voted to cut the maximum lifespan of new SSL/TLS certs to just 47 days by March 15, 2029.
Today the certificates, which underpin things like encrypted HTTPS connections between browsers and websites, are good for up to 398 days before needing to be renewed. Apple put out a proposal last year to cut the maximum time between renewals, and got support from Big Tech pals.
Their argument being that shorter renewal periods mean compromised or stolen certificates can be abused for at the most days or weeks rather than months before expiring. On the one hand, that may mean more purchases from certificate issuers for cert holders; on the other, Let's Encrypt provides perfectly good certificates for free and also helps automate the renewal process.
A bug in WhatsApp for Windows can be exploited to execute malicious code by anyone crafty enough to persuade a user to open a rigged attachment - and, to be fair, it doesn't take much craft to pull that off.
The spoofing flaw, tracked as CVE-2025-30401, affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug in how the app handles file attachments.
Apple has delivered a big batch of OS updates, some of which belatedly patch older versions of its operating systems to address exploited-in-the-wild flaws the iGiant earlier fixed in more recent releases.
interview: Crims are disabling security tools early in attacks, Talos says
Researchers can disclose two brand-new vulnerabilities in OpenSSH now that patches have been released.
Qualys discovered the bugs in January, per its disclosure timeline. These vulnerabilities allow miscreants to perform machine-in-the-middle (MitM) attacks on the OpenSSH client and pre-authentication denial-of-service (DoS) attacks.
Patches for CVE-2025-26465 and CVE-2025-26466 were released this morning. Although their respective severity scores (6.8 and 5.9 out of 10) don't necessarily scream "patch me right away" – it certainly doesn't seem as bad as last year's regreSSHion issue – they're both likely to raise some degree of concern given the tool's prominence.
Someone has been quietly backdooring selected Juniper routers around the world in key sectors including semiconductor, energy, and manufacturing, since at least mid-2023.
The devices were infected with what appears to be a variant of cd00r, a publicly available "invisible backdoor" designed to operate stealthily on a victim's machine by monitoring network traffic for specific conditions before activating.
Mondays are for checking months of logs, apparently, if MFA's not enabled
Chinese government cyberspies Volt Typhoon reportedly breached Singapore Telecommunications over the summer as part of their ongoing attacks against critical infrastructure operators.
The digital break-in was discovered in June, according to Bloomberg, citing "two people familiar with the matter" who told the news outlet that the Singtel breach was "a test run by China for further hacks against US telecommunications companies."
Health care breaches lead to legislation
Highlights of the new standard include:
Who doesn't love abusing buggy appliances, really?
Not a great look when the iGiant just launched its first password manager
Intruders accessed machines via tool bundled with ScienceLogic, 'limited' info taken, customers told not to worry
Tens of thousands of fuel storage tanks in critical infrastructure facilities remain vulnerable to zero-day attacks due to buggy Automatic Tank Gauge systems from multiple vendors, say infosec researchers.
Automatic Tank Gauges (ATGs) are used to monitor fuel levels in storage tanks and ensure that the tanks don't leak. The ten CVEs disclosed today were found in products from several different vendors: Dover Fueling Solutions (DFS), OPW Fuel Management Systems (owned by DFS), Franklin Fueling Systems, and OMNTEC.
Write better code, urges Jen Easterly. And while you're at it, give crime gangs horrible names like 'Evil Ferret'
Security researchers say that thousands of companies are potentially leaking secrets from their internal knowledge base (KB) articles via ServiceNow misconfigurations.
Aaron Costello and Dan Meged, of the AppOmni and Adaptive Shield security shops respectively, separately published their findings this week, concluding that pages set to "private" could still be read by tinkering with a ServiceNow customer's KB widgets.
These widgets are essentially containers of information used to construct the pages in KB articles. These can include page elements that allow users to leave feedback on articles, either through star ratings or comments, for example.
