A team of security researchers from CloudSEK has discovered a new phishing tactic used by threat actors (TA) to target Indian banking customers via preview domains from Hosting Provider Hostinger.
The new feature enables access to a site before it is accessible globally. In other words, it enables the viewing of website content without a domain (but after creating an account and adding a domain to host a website).
The time between the moment of registration of the domain and when the domain becomes globally available is called DNS Zone Propagation time, which in the case of Hostinger, lasts between 12 and 24 hours.
The unnamed TA would have exploited this timeframe and the preview domain feature to distribute phishing URLs and campaigns.
“Threat actors have been consistently launching campaigns to defraud Indian banking users,” read the CloudSEK advisory. “Campaigns are hosted on phishing domains that are distributed via text, email and social media.”
The method would have consequently eluded real-time monitoring from banks that typically enables them to detect and take down phishing sites quickly.
According to CloudSEK, the preview domain URLs are temporary mirrors of their root domains, with the Hostinger preview URL scheme being domain-tld.preview-domain.com. The security researchers said the preview URLs remain available for 120 hours after setting up an account.
Some examples of preview domains detected by CloudSEK’s contextual AI digital risk platform XVigil are available in the advisory’s full text.
To help mitigate the impact of these attacks, CloudSEK recommended companies deploy measures to identify and take down copy-cat domains, as well as monitor previously taken down malicious domains.
The phishing campaign against Indian users comes months after the personal Twitter account of India's prime minister, Narendra Modi, was attacked by cyber-criminals.
More recently, Indian airline SpiceJet delayed a number of flights in May after reporting being hit by a ransomware attack.