Hostinger’s Preview Domain Feature Abused to Launch Phishing Campaigns and Evade Detection

Summary

Hostinger’s preview domain feature abused to host phishing sites
 
Category: Adversary Intelligence Industry: Finance & Banking Motivation: Financial Region: India Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • Hostinger’s preview domain feature abused to host phishing sites.
  • Phishing domain URL scheme: domain-tld.preview-domain.com
  • Threat actors use preview domains to evade detection.
  • Loss of revenue and reputation for the impersonate brands.
  • Victims’ PII and bank details can be used for other social engineering attacks and identity theft.
  • Identify and take down copy-cat domains.
  • Monitor previously taken down malicious domains.
  • Awareness campaigns to educate users and customers.

Analysis and Attribution

Modus Operandi

CloudSEK’s contextual AI digital risk platform XVigil has uncovered a new phishing tactic used by threat actors to target Indian banking customers. XVigil has highlighted the recent increase in Hostinger preview domains being used to host phishing sites. The preview domain feature enables access to a site even before it is accessible globally.
  • Threat actors have been consistently launching campaigns to defraud Indian banking users.
  • Campaigns are hosted on phishing domains that are distributed via text, email, and social media.
  • However, real-time monitoring has enabled banks to detect and take down phishing sites quickly.
  • Hence, threat actors are constantly looking for novel techniques to evade early detection.
  • The latest method involves the domain preview feature provided by Hostinger. This feature allows threat actors to distribute phishing URLs during the DNS Zone Propagation time (time taken for a newly registered domain to start working globally).
Image depicts - a malicious domain hosted at Hostinger
Image depicts - a malicious domain hosted at Hostinger
 
Preview Domain phishing URL distributed via smishing
Preview Domain phishing URL distributed via smishing
 

Information from phishing URLs

The preview domain URLs are temporary mirrors of their root domains. Here are some examples of preview domains detected by CloudSEK’s contextual AI digital risk platform XVigil:
kycfrakyu-online[.]preview-domain[.]com bankweb-de[.]preview-domain[.]com
kyc451[.]preview-domain[.]com bankapp-de[.]preview-domain[.]com
kycsupports-online[.]preview-domain[.]com bankstatements-com-au[.]preview-domain[.]com
kycsbi-in-net[.]preview-domain[.]com bankingonlinebpmclient-com[.]preview-domain[.]com
kycuserks-online[.]preview-domain[.]com bankingn26-com[.]preview-domain[.]com
kycsbio-in-net[.]preview-domain[.]com bankasol-xyz[.]preview-domain[.]com
kycsbiko-com[.]preview-domain[.]com bankofamerica-upadteonline-com[.]preview-domain[.]com
kycski-online[.]preview-domain[.]com bank0famerica-verification-com[.]preview-domain[.]com
kycsky-online[.]preview-domain[.]com Bank0famirecasurfacehelp-com[.]preview-domain[.]com
kyccsbii-online[.]preview-domain[.]com kycskii-com[.]preview-domain[.]com
kycsbbiyono-com[.]preview-domain[.]com kyccsbbiko-com[.]preview-domain[.]com
kyccsbii-com[.]preview-domain[.]com

The Preview Domain Feature

Hostinger is a common Domain Registrar and Hosting Provider. Hostinger provides a feature to view website content without a domain once you create an account and add a domain to host a website. Hostinger’s DNS Zone propagation time is 12—24 hours. To compensate for this period, Hostinger provides the domain preview service, which allows users to build and share their websites on the internet.
  • A preview website feature is automatically activated during the new hosting order activation.
  • The preview URLscheme is: domain-tld.preview-domain.com.
  • Preview URL is available for 120 hours after setting up an account.

References

Appendix

Phishing Website for Internet Banking Credential Harvesting
Phishing Website for Internet Banking Credential Harvesting
   

Table of Contents

Request an easy and customized demo for free