Scammers Misuse A2 Hosting’s Services to Target Indian Banking Customers
December 8, 2022
Banking & Finance
Scammers are abusing the temporary domain feature, provided by A2 Hosting, to create phishing websites for targeting Indian banking customers.
Using this scammers are able to evade detection and steal net banking credentials.
Data collected from phishing sites can be sold on the dark web.
Many of the links are not present on the internet, making it difficult to classify before the campaign starts on a scale.
Loss of trust in banks impersonated by the sites.
Real-time scans to identify and report phishing domains, not just by name, but also by trademarks and images.
Awareness among customers regarding malicious URLs.
Policies to ensure that reverse tunnel service providers assist victims in taking down such sites.
Analysis and Attribution
CloudSEK’s contextual AI digital risk platform XVigil uncovered a phishing campaign that hosted a total of 8 subdomains impersonating the webpages of a popular Indian bank.
The phishing domains were being hosted on A2 Hosting, a US-based web hosting provider that offers shared and managed WordPress hosting, VPS Hosting, reseller hosting and dedicated hosting along with commerce hosting.
As an improvised modus operandi the campaign abused a service offered by A2 Hosting.
To avoid detection and takedowns, the threat actors hosted websites under the subdomain of *.a2hosted.com.
To deliver the phishing page the scammer used SMS-based spam techniques (smishing).
Registering Subdomains Via A2 Hosting
A2 Hosting provides a variety of services including a temporary domain service which can be used to host any kind of website without registering any new domain.
It has various flexible plans (of different prices) but it does not provide any free services.
Similar Phishing Campaigns
Scammers are rapidly adopting newer technologies and abusing services/features provided by various SaaS platforms.
In 2022, CloudSEK observed a new trend of abusing domain forwarding services(mostly freemium) offered by web hosting providers to host phishing pages.
These campaigns are usually targeted at Indian banking customers.
Previously the following services were abused by threat actors for their campaigns: