Category: Adversary Intelligence | Industry: Finance & Banking | Motivation: Financial | Region: India | Source*: A1 |
---|
Executive Summary
THREAT | IMPACT | MITIGATION |
---|---|---|
|
|
|
Analysis and Attribution
Modus Operandi
CloudSEK’s contextual AI digital risk platform XVigil has uncovered a new phishing tactic used by threat actors to target Indian banking customers. XVigil has highlighted the recent increase in Hostinger preview domains being used to host phishing sites. The preview domain feature enables access to a site even before it is accessible globally.- Threat actors have been consistently launching campaigns to defraud Indian banking users.
- Campaigns are hosted on phishing domains that are distributed via text, email, and social media.
- However, real-time monitoring has enabled banks to detect and take down phishing sites quickly.
- Hence, threat actors are constantly looking for novel techniques to evade early detection.
- The latest method involves the domain preview feature provided by Hostinger. This feature allows threat actors to distribute phishing URLs during the DNS Zone Propagation time (time taken for a newly registered domain to start working globally).


Information from phishing URLs
The preview domain URLs are temporary mirrors of their root domains. Here are some examples of preview domains detected by CloudSEK’s contextual AI digital risk platform XVigil:kycfrakyu-online[.]preview-domain[.]com | bankweb-de[.]preview-domain[.]com |
---|---|
kyc451[.]preview-domain[.]com | bankapp-de[.]preview-domain[.]com |
kycsupports-online[.]preview-domain[.]com | bankstatements-com-au[.]preview-domain[.]com |
kycsbi-in-net[.]preview-domain[.]com | bankingonlinebpmclient-com[.]preview-domain[.]com |
kycuserks-online[.]preview-domain[.]com | bankingn26-com[.]preview-domain[.]com |
kycsbio-in-net[.]preview-domain[.]com | bankasol-xyz[.]preview-domain[.]com |
kycsbiko-com[.]preview-domain[.]com | bankofamerica-upadteonline-com[.]preview-domain[.]com |
kycski-online[.]preview-domain[.]com | bank0famerica-verification-com[.]preview-domain[.]com |
kycsky-online[.]preview-domain[.]com | Bank0famirecasurfacehelp-com[.]preview-domain[.]com |
kyccsbii-online[.]preview-domain[.]com | kycskii-com[.]preview-domain[.]com |
kycsbbiyono-com[.]preview-domain[.]com | kyccsbbiko-com[.]preview-domain[.]com |
kyccsbii-com[.]preview-domain[.]com |
The Preview Domain Feature
Hostinger is a common Domain Registrar and Hosting Provider. Hostinger provides a feature to view website content without a domain once you create an account and add a domain to host a website. Hostinger’s DNS Zone propagation time is 12—24 hours. To compensate for this period, Hostinger provides the domain preview service, which allows users to build and share their websites on the internet.- A preview website feature is automatically activated during the new hosting order activation.
- The preview URLscheme is: domain-tld.preview-domain.com.
- Preview URL is available for 120 hours after setting up an account.
References
Appendix
