Sign in / up

back to article Massive spike in use of .es domains for phishing abuse

Cybersecurity experts are reporting a 19x increase in malicious campaigns being launched from .es domains, making it the third most common, behind only .com and .ru. The .es top-level domain (TLD) is the domain reserved for the country of Spain, or websites targeting Spanish-speaking audiences. Cofense said the abuse of the . …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. xyz Silver badge

    The reason....

    Is that (for example) gov websites tend to divert you to stupid domains which have to obvious connection to the domain you are on. It's a minefield. Also they tend to have silly domain formats like...

    bigAssedGovDeptName.WtfIsThisShit.es which on any click leads you to

    EffinRabbitHole.XxxyyyzzPQ7775.es/someplace which is still a correct gov domain but you've no idea if it is or not.

    17 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: The reason....

      My admittedly limited use of Spanish government sites (tax, social security, residency cards), they all end in .gob.es and while they may redirect you they also go to websites ending in .gob.es.

      They often redirect to ID verification (card reader, digital certificate, SMS 2FA...) which again is .gob.es but then they redirect back once verified. If it's SMS 2FA you will only be allowed a restricted range of options. The ID verification actually works unlike other countries one could name and seems generally well-thought out.

      So I can't say I've noticed this behaviour, perhaps it's just one wayward department.

      5 1 Reply
      1. Homo.Sapien.Floridanus
        Reply Icon

        Re: The reason....

        This is how it should be. Any company that respects security will use a single domain and tld and have sub domains for their varied sites so that their users know where they are.

        i can't believe the number of tech companies that have dozens, even hundreds of domain names thanks to marketing people having power over the security team.

        What a poop show.

        21 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: The reason....

          Well you know every now and again a company buys another and they keep the domain name so that things don't break ... and also so that nobody else buys it pretending to be them.

          But yes - they should really redirect them all to the same place

          5 0 Reply
          1. nobody who matters Silver badge
            Reply Icon

            Re: The reason....

            Whilst a company/corporation/organisation may well own multiple domain names to stop others passing themselves off as being them, they are not required to have all of them in use, particularly where sensitive data is being submitted through them.

            And even where they do use more than one, they should redirect to the principle domain as you say.

            4 0 Reply
          2. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: The reason....

            So, company x buys company y and still uses the "y" domain for previous "y" customers? That's hardly unexpected, and not the same as somerandomname.co.uk being used.

            1 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: The reason....

        perhaps it's just one wayward department.

        No, and not even restricted to one country. I've had email from French state bodies that direct off to weird domains that have logical enough names but aren't .gouv or .fr, and so look just like spamming.

        3 0 Reply
      3. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: The reason....

        I've seen sites in the UK (mainly supermarkets who I have a registered account with, but also including banks) that will ask you to fill in a survey or something and it gets redirected to bankname.somecompanyiveneverheardof.co.uk - even when the survey involves aspects of the account that you wouldn't want a spammer to know.

        I've also had legit emails from these companies from bankname@somebulkmailerservicethatislegitimatebutwhoknowswhoreallysigneduptoitasbankname.com

        Mind you, with email, it seems that the main "consumer" email providers do everything they can to hide email addresses and "received" headers, so it's not as if this matters so much.. sigh.

        3 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: The reason....

          I've seen at least one UK bank whose online banking website has scripts running from 3 "unknown" domains (I say "unknown" as Whois lookups showed the domains' ownership hidden behind MarkMonitor privacy protection) with similarly weird long "random" alphanumeric subdomain portions - I complained to the bank as it looked to me like their online banking had been compromised but no, apparently the weird domains are used by one of the bank's analytics partners.

          4 0 Reply
          1. Roland6 Silver badge
            Reply Icon

            Re: The reason....

            Weird domain names isn’t the only problem, I’ve recently done business with a number of big name companies, due to the M&S events they stopped using payment gateways and so payment had to be via direct bank-to-bank payment. I discovered that the name on their bank account bore no resemblance to their trading name, an important fact to know if you don’t want you or bank to deem the payment a scam and so kindly block it, returning the monies to your account a couple of days later and all evidence of the attempted payment erased.

            1 0 Reply
          2. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: The reason....

            NoScript for the win, block all that analytics sludge.

            0 0 Reply
            1. Anonymous Coward
              Reply Icon
              Anonymous Coward

              Re: The reason....

              "NoScript for the win, block all that analytics sludge."

              I do. The problem with that particular bank's web-based online banking is that there seems to be some sort of short "idle timeout" only when the weird 3rd party Analytics scripts are blocked that if more than 45 secs-1 min passes without activity then you get auto logged out.

              0 0 Reply
  2. kmorwath

    One would think AI...

    ... could identify domains like ag7sr[.]fjlabpkgcuo[.]es as useless and with very few use - and only criminals ones. But probably selling them is better than investing money to avoid to sell them.

    1 0 Reply
    1. munnoch Silver badge
      Reply Icon

      Re: One would think AI...

      You don't need AI for that, but like you say they're in the business of selling domains not of vetting what you might potentially do with the domains.

      Most people won't stop for even a nanosecond before clicking on a link regardless of how unlikely it looks. I'd bet that hardly anyone nowadays realises what country TLD's are supposed to represent, not helped by abominations like youtu.be.

      And of course many legit organisations send you all round the houses via various third party sites with very phishy looking names both for the origin of the email and for the response links. Its all about capturing the data folks, not about useful levels of communication.

      3 0 Reply
  3. DCdave
    Joke

    To be fair

    had.es should be a bit of a giveaway

    1 0 Reply
  4. Pete 2 Silver badge

    Plurals

    Could this TLD be popular because it makes sites sound like English (language) websites.

    For example bestpric.es or nicecak.es or even websit.es!

    3 0 Reply
    1. Roland6 Silver badge
      Reply Icon

      Re: Plurals

      Probably popular because it is easy to get hold of a .es address and being within Europe, gets around simple regional geo blocking.

      1 0 Reply
    2. Homo.Sapien.Floridanus
      Reply Icon

      Re: Plurals

      security pleb.es

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like