Scammers Misuse A2 Hosting’s Services to Target Indian Banking Customers

CloudSEK’s contextual AI digital risk platform XVigil uncovered a phishing campaign that hosted a total of 8 subdomains impersonating the webpages of a popular Indian bank.
Updated on
February 27, 2023
Published on
December 8, 2022
Read time
5
Subscribe to the latest industry news, technologies and resources.
Category: Adversary Intelligence Industry: Banking & Finance Motivation: Financial Country: India Source*: A1

Executive Summary

THREAT IMPACT MITIGATION
  • Scammers are abusing the temporary domain feature, provided by A2 Hosting, to create phishing websites for targeting Indian banking customers.
  • Using this scammers are able to evade detection and steal net banking credentials.
  • Data collected from phishing sites can be sold on the dark web.
  • Many of the links are not present on the internet, making it difficult to classify before the campaign starts on a scale.
  • Loss of trust in banks impersonated by the sites.
  • Real-time scans to identify and report phishing domains, not just by name, but also by trademarks and images.
  • Awareness among customers regarding malicious URLs.
  • Policies to ensure that reverse tunnel service providers assist victims in taking down such sites.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil uncovered a phishing campaign that hosted a total of 8 subdomains impersonating the webpages of a popular Indian bank.
  • The phishing domains were being hosted on A2 Hosting, a US-based web hosting provider that offers shared and managed WordPress hosting, VPS Hosting, reseller hosting and dedicated hosting along with commerce hosting.

Modus Operandi

  • As an improvised modus operandi the campaign abused a service offered by A2 Hosting.
  • To avoid detection and takedowns, the threat actors hosted websites under the subdomain of *.a2hosted.com.
  • To deliver the phishing page the scammer used SMS-based spam techniques (smishing).

Registering Subdomains Via A2 Hosting

  • A2 Hosting provides a variety of services including a temporary domain service which can be used to host any kind of website without registering any new domain.
  • It has various flexible plans (of different prices) but it does not provide any free services.
[caption id="attachment_21946" align="alignnone" width="1495"]Screenshot of the services offered by A2 Hosting Screenshot of the services offered by A2 Hosting[/caption] Similar Phishing Campaigns
  • Scammers are rapidly adopting newer technologies and abusing services/features provided by various SaaS platforms.
  • In 2022, CloudSEK observed a new trend of abusing domain forwarding services(mostly freemium) offered by web hosting providers to host phishing pages.
  • These campaigns are usually targeted at Indian banking customers.
  • Previously the following services were abused by threat actors for their campaigns:
  • Reverse tunneling services offered by nGrok, TryCloudflare, LocalHostRun and more.
  • Cloudflare Pages
  • Hostinger’s Preview Domain

References

Appendix

[caption id="attachment_21947" align="alignnone" width="1468"]Screenshot of the phishing website used by scammers to steal customers’ net banking credentials Screenshot of the phishing website used by scammers to steal customers’ net banking credentials[/caption]   [caption id="attachment_21948" align="alignnone" width="1538"]Minimal cost (in INR) to host a website in A2 Hosting with Temporary Domain Service Minimal cost (in INR) to host a website in A2 Hosting with Temporary Domain Service[/caption]   [caption id="attachment_21949" align="alignnone" width="1912"]Screenshot of the price structure offered by A2 Hosting Screenshot of the price structure offered by A2 Hosting[/caption]    

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.