Banking & Finance
- Scammers are abusing the temporary domain feature, provided by A2 Hosting, to create phishing websites for targeting Indian banking customers.
- Using this scammers are able to evade detection and steal net banking credentials.
- Data collected from phishing sites can be sold on the dark web.
- Many of the links are not present on the internet, making it difficult to classify before the campaign starts on a scale.
- Loss of trust in banks impersonated by the sites.
- Real-time scans to identify and report phishing domains, not just by name, but also by trademarks and images.
- Awareness among customers regarding malicious URLs.
- Policies to ensure that reverse tunnel service providers assist victims in taking down such sites.
Analysis and Attribution
- CloudSEK’s contextual AI digital risk platform XVigil uncovered a phishing campaign that hosted a total of 8 subdomains impersonating the webpages of a popular Indian bank.
- The phishing domains were being hosted on A2 Hosting, a US-based web hosting provider that offers shared and managed WordPress hosting, VPS Hosting, reseller hosting and dedicated hosting along with commerce hosting.
- As an improvised modus operandi the campaign abused a service offered by A2 Hosting.
- To avoid detection and takedowns, the threat actors hosted websites under the subdomain of *.a2hosted.com.
- To deliver the phishing page the scammer used SMS-based spam techniques (smishing).
Registering Subdomains Via A2 Hosting
- A2 Hosting provides a variety of services including a temporary domain service which can be used to host any kind of website without registering any new domain.
- It has various flexible plans (of different prices) but it does not provide any free services.
[caption id="attachment_21946" align="alignnone" width="1495"]
Screenshot of the services offered by A2 Hosting[/caption]
Similar Phishing Campaigns
- Scammers are rapidly adopting newer technologies and abusing services/features provided by various SaaS platforms.
- In 2022, CloudSEK observed a new trend of abusing domain forwarding services(mostly freemium) offered by web hosting providers to host phishing pages.
- These campaigns are usually targeted at Indian banking customers.
- Previously the following services were abused by threat actors for their campaigns:
- Reverse tunneling services offered by nGrok, TryCloudflare, LocalHostRun and more.
- Cloudflare Pages
- Hostinger’s Preview Domain
[caption id="attachment_21947" align="alignnone" width="1468"]
Screenshot of the phishing website used by scammers to steal customers’ net banking credentials[/caption]
[caption id="attachment_21948" align="alignnone" width="1538"]
Minimal cost (in INR) to host a website in A2 Hosting with Temporary Domain Service[/caption]
[caption id="attachment_21949" align="alignnone" width="1912"]
Screenshot of the price structure offered by A2 Hosting[/caption]