Hostinger’s Preview Domain Feature Abused to Launch Phishing Campaigns and Evade Detection

 

Category: Adversary Intelligence	Industry: Finance & Banking	Motivation: Financial	Region: India	Source*: A1

Executive Summary

THREAT	IMPACT	MITIGATION
Hostinger’s preview domain feature abused to host phishing sites. Phishing domain URL scheme: domain-tld.preview-domain.com Threat actors use preview domains to evade detection.	Loss of revenue and reputation for the impersonate brands. Victims’ PII and bank details can be used for other social engineering attacks and identity theft.	Identify and take down copy-cat domains. Monitor previously taken down malicious domains. Awareness campaigns to educate users and customers.

Analysis and Attribution

Modus Operandi

CloudSEK’s contextual AI digital risk platform XVigil has uncovered a new phishing tactic used by threat actors to target Indian banking customers. XVigil has highlighted the recent increase in Hostinger preview domains being used to host phishing sites. The preview domain feature enables access to a site even before it is accessible globally.

• Threat actors have been consistently launching campaigns to defraud Indian banking users.
• Campaigns are hosted on phishing domains that are distributed via text, email, and social media.
• However, real-time monitoring has enabled banks to detect and take down phishing sites quickly.
• Hence, threat actors are constantly looking for novel techniques to evade early detection.
• The latest method involves the domain preview feature provided by Hostinger. This feature allows threat actors to distribute phishing URLs during the DNS Zone Propagation time (time taken for a newly registered domain to start working globally).

 

 

Information from phishing URLs

The preview domain URLs are temporary mirrors of their root domains. Here are some examples of preview domains detected by CloudSEK’s contextual AI digital risk platform XVigil:

kycfrakyu-online[.]preview-domain[.]com	bankweb-de[.]preview-domain[.]com
kyc451[.]preview-domain[.]com	bankapp-de[.]preview-domain[.]com
kycsupports-online[.]preview-domain[.]com	bankstatements-com-au[.]preview-domain[.]com
kycsbi-in-net[.]preview-domain[.]com	bankingonlinebpmclient-com[.]preview-domain[.]com
kycuserks-online[.]preview-domain[.]com	bankingn26-com[.]preview-domain[.]com
kycsbio-in-net[.]preview-domain[.]com	bankasol-xyz[.]preview-domain[.]com
kycsbiko-com[.]preview-domain[.]com	bankofamerica-upadteonline-com[.]preview-domain[.]com
kycski-online[.]preview-domain[.]com	bank0famerica-verification-com[.]preview-domain[.]com
kycsky-online[.]preview-domain[.]com	Bank0famirecasurfacehelp-com[.]preview-domain[.]com
kyccsbii-online[.]preview-domain[.]com	kycskii-com[.]preview-domain[.]com
kycsbbiyono-com[.]preview-domain[.]com	kyccsbbiko-com[.]preview-domain[.]com
kyccsbii-com[.]preview-domain[.]com

The Preview Domain Feature

Hostinger is a common Domain Registrar and Hosting Provider. Hostinger provides a feature to view website content without a domain once you create an account and add a domain to host a website. Hostinger’s DNS Zone propagation time is 12—24 hours. To compensate for this period, Hostinger provides the domain preview service, which allows users to build and share their websites on the internet.

• A preview website feature is automatically activated during the new hosting order activation.
• The preview URLscheme is: domain-tld.preview-domain.com.
• Preview URL is available for 120 hours after setting up an account.

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia

Appendix