Rise in malware through .es domain names | The story of pay-or-consent and the DMA
#194 - The .es TLD gets infamous for delivering malware | The story of Meta and their battle with the DMA
Phishing using .es domains rise
The Spanish top level domain sees a rise in use for phishing
Top level domains work in mysterious ways.
Some domain names are more conducive to be used by attackers. Two years ago, I wrote about the .tk top level domain (TLD). This TLD was used for nefarious purposes. The domain belonged to the islands of Tokelau. Here is the post:
Today’s news is very similar. The TLD that is being misused now is .es.
Domains are broadly classified into two types - generic TLDs (gTLDs) or country code TLDS (ccTLDs). gTLDs do not belong to any country specific restrictions. ccTLD’s have some restrictions - not much, though. Scammers manage to buy these domains and phish people from the geographies associated with the domain.
Take Action:
If you are not in Spain, monitor connections to .es domains from within your network. They could be phishing connections.
If you are a domain service provider, see if you can validate buyers of .es domains
Meta says fines on the pay-or-consent approach ‘unlawful’
Here’s the whole story
The DMA or the Digital Markets Act is a law passed in the EU on 1 Nov 2022 and came into effect in May 2023. This law identified ‘gatekeepers’ or large digital platforms providing core services like search, storage, messenger services, etc.
The act aims to bring more clarity to consumers choice, encourages seamless data portability, ensures data ownership remains with consumer, etc.
After this act was passed, Apple and Meta earned the dubious honor of becoming the first two companies to be fined under the DMA.
Apple was fined for not allowing developers to ‘steer’ their customers to cheaper options to buy outside the Apple ecosystem.
Meta was fined for its pay-or-consent model. On the face of it, the pay or consent model was very simple. You either pay for the ad-free services or you continue to get free services with ads.
Consumers assumed that if they are paying for an ad-free service, then Meta would not collect data about them. If you are not showing me targeted ads, there is no need to collect my data, right?
Wrong!
The DMA found that Meta continued to collect data of paying customers. They fined Meta 200 million Euros.
Meta is calling it unlawful and contesting the same. I will keep a track of this story as it progresses.
Take Action:
Meta collects a lot of data about you. Share as little as possible on their platforms. If you can, just stop using these ‘gatekeepers’.