A team of CloudSEK security researchers has discovered a new phishing tactic used by threat actors (TAs) to target Indian banking customers through hosting provider Hostinger’s preview domains.
The new feature allows access to a site before it is globally accessible. In other words, it allows viewing website content without a domain (but after creating an account and adding a domain to host a website).
The time between when the domain is registered and when the domain becomes globally available is called DNS zone propagation time, which in Hostinger’s case is between 12 and 24 hours.
The anonymous TA allegedly exploited this delay and the preview domain feature to distribute URLs and phishing campaigns.
“Threat actors have consistently launched campaigns to defraud Indian banking users,” the CloudSEK advisory reads. “Campaigns are hosted on phishing domains that are distributed via SMS, email and social media.”
The method would therefore have escaped the real-time monitoring of banks that usually allows them to quickly detect and remove phishing sites.
According to CloudSEK, preview domain URLs are temporary mirrors of their root domains, with the Hostinger preview URL scheme being domain-tld.preview-domain.com. Security researchers said preview URLs remain available for 120 hours after an account is created.
A few examples of preview domains detected by XVigil, CloudSEK’s contextual AI digital risk management platform, are available in the full text of the advisory.
To help mitigate the impact of these attacks, CloudSEK recommended that organizations deploy measures to identify and remove copied domains, as well as monitor previously removed malicious domains.
The phishing campaign against Indian users comes months after Indian Prime Minister Narendra Modi’s personal Twitter account was attacked by cybercriminals.
More recently, Indian airline SpiceJet delayed a number of flights in May after reporting it was hit by a ransomware attack.