| Category:
Adversary Intelligence |
Industry:
Finance & Banking |
Motivation:
Financial |
Region:
India |
Source*:
A1 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Hostinger’s preview domain feature abused to host phishing sites.
- Phishing domain URL scheme: domain-tld.preview-domain.com
- Threat actors use preview domains to evade detection.
|
- Loss of revenue and reputation for the impersonate brands.
- Victims’ PII and bank details can be used for other social engineering attacks and identity theft.
|
- Identify and take down copy-cat domains.
- Monitor previously taken down malicious domains.
- Awareness campaigns to educate users and customers.
|
Analysis and Attribution
Modus Operandi
CloudSEK’s contextual AI digital risk platform
XVigil has uncovered a new phishing tactic used by threat actors to target Indian banking customers. XVigil has highlighted the recent increase in Hostinger preview domains being used to host phishing sites. The preview domain feature enables access to a site even before it is accessible globally.
- Threat actors have been consistently launching campaigns to defraud Indian banking users.
- Campaigns are hosted on phishing domains that are distributed via text, email, and social media.
- However, real-time monitoring has enabled banks to detect and take down phishing sites quickly.
- Hence, threat actors are constantly looking for novel techniques to evade early detection.
- The latest method involves the domain preview feature provided by Hostinger. This feature allows threat actors to distribute phishing URLs during the DNS Zone Propagation time (time taken for a newly registered domain to start working globally).
[caption id="attachment_20152" align="aligncenter" width="809"]
Image depicts - a malicious domain hosted at Hostinger[/caption]
[caption id="attachment_20153" align="aligncenter" width="513"]
Preview Domain phishing URL distributed via smishing[/caption]
Information from phishing URLs
The preview domain URLs are temporary mirrors of their root domains. Here are some examples of preview domains detected by
CloudSEK’s contextual AI digital risk platform
XVigil:
| kycfrakyu-online[.]preview-domain[.]com |
bankweb-de[.]preview-domain[.]com |
| kyc451[.]preview-domain[.]com |
bankapp-de[.]preview-domain[.]com |
| kycsupports-online[.]preview-domain[.]com |
bankstatements-com-au[.]preview-domain[.]com |
| kycsbi-in-net[.]preview-domain[.]com |
bankingonlinebpmclient-com[.]preview-domain[.]com |
| kycuserks-online[.]preview-domain[.]com |
bankingn26-com[.]preview-domain[.]com |
| kycsbio-in-net[.]preview-domain[.]com |
bankasol-xyz[.]preview-domain[.]com |
| kycsbiko-com[.]preview-domain[.]com |
bankofamerica-upadteonline-com[.]preview-domain[.]com |
| kycski-online[.]preview-domain[.]com |
bank0famerica-verification-com[.]preview-domain[.]com |
| kycsky-online[.]preview-domain[.]com |
Bank0famirecasurfacehelp-com[.]preview-domain[.]com |
| kyccsbii-online[.]preview-domain[.]com |
kycskii-com[.]preview-domain[.]com |
| kycsbbiyono-com[.]preview-domain[.]com |
kyccsbbiko-com[.]preview-domain[.]com |
| kyccsbii-com[.]preview-domain[.]com |
|
The Preview Domain Feature
Hostinger is a common Domain Registrar and Hosting Provider. Hostinger provides a feature to view website content without a domain once you create an account and add a domain to host a website. Hostinger’s DNS Zone propagation time is 12—24 hours. To compensate for this period, Hostinger provides the domain preview service, which allows users to build and share their websites on the internet.
- A preview website feature is automatically activated during the new hosting order activation.
- The preview URLscheme is: domain-tld.preview-domain.com.
- Preview URL is available for 120 hours after setting up an account.
References
Appendix
[caption id="attachment_20154" align="aligncenter" width="397"]
Phishing Website for Internet Banking Credential Harvesting[/caption]
