Hostinger’s Preview Domain Feature Abused to Launch Phishing Campaigns and Evade Detection

Hostinger’s preview domain feature abused to host phishing sites
Updated on
April 19, 2023
Published on
August 4, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Adversary Intelligence Industry: Finance & Banking Motivation: Financial Region: India Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • Hostinger’s preview domain feature abused to host phishing sites.
  • Phishing domain URL scheme: domain-tld.preview-domain.com
  • Threat actors use preview domains to evade detection.
  • Loss of revenue and reputation for the impersonate brands.
  • Victims’ PII and bank details can be used for other social engineering attacks and identity theft.
  • Identify and take down copy-cat domains.
  • Monitor previously taken down malicious domains.
  • Awareness campaigns to educate users and customers.

Analysis and Attribution

Modus Operandi

CloudSEK’s contextual AI digital risk platform XVigil has uncovered a new phishing tactic used by threat actors to target Indian banking customers. XVigil has highlighted the recent increase in Hostinger preview domains being used to host phishing sites. The preview domain feature enables access to a site even before it is accessible globally.
  • Threat actors have been consistently launching campaigns to defraud Indian banking users.
  • Campaigns are hosted on phishing domains that are distributed via text, email, and social media.
  • However, real-time monitoring has enabled banks to detect and take down phishing sites quickly.
  • Hence, threat actors are constantly looking for novel techniques to evade early detection.
  • The latest method involves the domain preview feature provided by Hostinger. This feature allows threat actors to distribute phishing URLs during the DNS Zone Propagation time (time taken for a newly registered domain to start working globally).
[caption id="attachment_20152" align="aligncenter" width="809"]Image depicts - a malicious domain hosted at Hostinger Image depicts - a malicious domain hosted at Hostinger[/caption]   [caption id="attachment_20153" align="aligncenter" width="513"]Preview Domain phishing URL distributed via smishing Preview Domain phishing URL distributed via smishing[/caption]  

Information from phishing URLs

The preview domain URLs are temporary mirrors of their root domains. Here are some examples of preview domains detected by CloudSEK’s contextual AI digital risk platform XVigil:
kycfrakyu-online[.]preview-domain[.]com bankweb-de[.]preview-domain[.]com
kyc451[.]preview-domain[.]com bankapp-de[.]preview-domain[.]com
kycsupports-online[.]preview-domain[.]com bankstatements-com-au[.]preview-domain[.]com
kycsbi-in-net[.]preview-domain[.]com bankingonlinebpmclient-com[.]preview-domain[.]com
kycuserks-online[.]preview-domain[.]com bankingn26-com[.]preview-domain[.]com
kycsbio-in-net[.]preview-domain[.]com bankasol-xyz[.]preview-domain[.]com
kycsbiko-com[.]preview-domain[.]com bankofamerica-upadteonline-com[.]preview-domain[.]com
kycski-online[.]preview-domain[.]com bank0famerica-verification-com[.]preview-domain[.]com
kycsky-online[.]preview-domain[.]com Bank0famirecasurfacehelp-com[.]preview-domain[.]com
kyccsbii-online[.]preview-domain[.]com kycskii-com[.]preview-domain[.]com
kycsbbiyono-com[.]preview-domain[.]com kyccsbbiko-com[.]preview-domain[.]com
kyccsbii-com[.]preview-domain[.]com

The Preview Domain Feature

Hostinger is a common Domain Registrar and Hosting Provider. Hostinger provides a feature to view website content without a domain once you create an account and add a domain to host a website. Hostinger’s DNS Zone propagation time is 12—24 hours. To compensate for this period, Hostinger provides the domain preview service, which allows users to build and share their websites on the internet.
  • A preview website feature is automatically activated during the new hosting order activation.
  • The preview URLscheme is: domain-tld.preview-domain.com.
  • Preview URL is available for 120 hours after setting up an account.

References

Appendix

[caption id="attachment_20154" align="aligncenter" width="397"]Phishing Website for Internet Banking Credential Harvesting Phishing Website for Internet Banking Credential Harvesting[/caption]    

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations