All Threat Intelligence posts

Scammers Misuse A2 Hosting’s Services to Target Indian Banking Customers

December 8, 2022
4
min read

Category:

Adversary Intelligence

 Industry:

Banking & Finance

 Motivation:

Financial

 Country:

India

 Source*:

A1

Executive Summary

THREAT IMPACT MITIGATION
  • Scammers are abusing the temporary domain feature, provided by A2 Hosting, to create phishing websites for targeting Indian banking customers.
  • Using this scammers are able to evade detection and steal net banking credentials.
  • Data collected from phishing sites can be sold on the dark web.
  • Many of the links are not present on the internet, making it difficult to classify before the campaign starts on a scale.
  • Loss of trust in banks impersonated by the sites.
  • Real-time scans to identify and report phishing domains, not just by name, but also by trademarks and images.
  • Awareness among customers regarding malicious URLs.
  • Policies to ensure that reverse tunnel service providers assist victims in taking down such sites.

Analysis and Attribution

  • CloudSEK’s contextual AI digital risk platform XVigil uncovered a phishing campaign that hosted a total of 8 subdomains impersonating the webpages of a popular Indian bank.
  • The phishing domains were being hosted on A2 Hosting, a US-based web hosting provider that offers shared and managed WordPress hosting, VPS Hosting, reseller hosting and dedicated hosting along with commerce hosting.

Modus Operandi

  • As an improvised modus operandi the campaign abused a service offered by A2 Hosting.
  • To avoid detection and takedowns, the threat actors hosted websites under the subdomain of *.a2hosted.com.
  • To deliver the phishing page the scammer used SMS-based spam techniques (smishing).

Registering Subdomains Via A2 Hosting

  • A2 Hosting provides a variety of services including a temporary domain service which can be used to host any kind of website without registering any new domain.
  • It has various flexible plans (of different prices) but it does not provide any free services.
Screenshot of the services offered by A2 Hosting
Screenshot of the services offered by A2 Hosting

Similar Phishing Campaigns

  • Scammers are rapidly adopting newer technologies and abusing services/features provided by various SaaS platforms.
  • In 2022, CloudSEK observed a new trend of abusing domain forwarding services(mostly freemium) offered by web hosting providers to host phishing pages.
  • These campaigns are usually targeted at Indian banking customers.
  • Previously the following services were abused by threat actors for their campaigns:
  • Reverse tunneling services offered by nGrok, TryCloudflare, LocalHostRun and more.
  • Cloudflare Pages
  • Hostinger’s Preview Domain

References

Appendix

Screenshot of the phishing website used by scammers to steal customers’ net banking credentials
Screenshot of the phishing website used by scammers to steal customers’ net banking credentials

 

Minimal cost (in INR) to host a website in A2 Hosting with Temporary Domain Service
Minimal cost (in INR) to host a website in A2 Hosting with Temporary Domain Service

 

Screenshot of the price structure offered by A2 Hosting
Screenshot of the price structure offered by A2 Hosting

 

 

Tags:
No items found.