Skip to content
All posts

[SCAM ALERT 051] - Eurocaja Rural and Santander


Eurocaja Rural is financing new investments in Santander after signing a 12 million euro transaction with the Cantabrian City Council.

During our PreCrime internet scout of September 28th 2022 we identified suspicious markers across multiple vectors.

The Attack


Santander and Eurocaja Rural bank customers in Spain.

Possible threats:

  • Phishing/smishing campaign - luring customers to the site by sending them a message impersonating the bank with a link to the malicious domain. Most likely indicating that users must sign in now due to an issue to make victims feels a sense of urgency.
  • Credential harvesting and financial gain - After luring users to the site they will be asked to expose their personal information (username, password, bank details).
  • Malware - by infecting a victims devices with malicious software to steal their sensitive information.

Technical Breakdown

Threat Indicators

  • Malicious domain impersonating both Banco Santander and Eurocaja Rural
  • Domain not registered under the same registrar as Banco Santander or Eurocaja Rural
  • Newly registered site - September 22 2022
  • SSL certificates expire after three months

Detection and Threat Analysis

The malicious domain, bancosantander-configurar[.]com has been targeting Banco Santander and Eurocaja Rural. Santander is a Spanish multinational financial services company and the 16th largest banking institution in the world. Eurocaja Rural provides banking services for customers in Spain. The malicious domain was created September 22, 2022 and detected by September 23, 2022.

  • The website content has changed. Initially the content replicated the Spanish customer login page for Santander. Now the site content has changed to replicate the Eurocaja Rural Bank login page. This scam is definitely interested in gaining access to financial data and bank accounts of Spanish citizens to steal their PII and money.
  • The registered SSL certificates expire after three months and one of them is issued by a non-trusted certificate issuer (Let’s Encrypt), indicating malicious intent.
  • The IP address has a lot malicious traffic with mainly .EXE malicious files communicating with it.


WhoIs Record



IP Address


How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid - and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

  • Pay close attention to the URL
  • Check connection security indicators (the lock)
  • Read emails carefully
  • Look for trust seals



This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.