Category: Adversary Intelligence	Industry: Banking & Finance	Motivation: Financial	Country: India	Source*: A1

Executive Summary

THREAT	IMPACT	MITIGATION
Scammers are abusing the temporary domain feature, provided by A2 Hosting, to create phishing websites for targeting Indian banking customers. Using this scammers are able to evade detection and steal net banking credentials.	Data collected from phishing sites can be sold on the dark web. Many of the links are not present on the internet, making it difficult to classify before the campaign starts on a scale. Loss of trust in banks impersonated by the sites.	Real-time scans to identify and report phishing domains, not just by name, but also by trademarks and images. Awareness among customers regarding malicious URLs. Policies to ensure that reverse tunnel service providers assist victims in taking down such sites.

Analysis and Attribution

• CloudSEK’s contextual AI digital risk platform XVigil uncovered a phishing campaign that hosted a total of 8 subdomains impersonating the webpages of a popular Indian bank.
• The phishing domains were being hosted on A2 Hosting, a US-based web hosting provider that offers shared and managed WordPress hosting, VPS Hosting, reseller hosting and dedicated hosting along with commerce hosting.

Modus Operandi

• As an improvised modus operandi the campaign abused a service offered by A2 Hosting.
• To avoid detection and takedowns, the threat actors hosted websites under the subdomain of *.a2hosted.com.
• To deliver the phishing page the scammer used SMS-based spam techniques (smishing).

Registering Subdomains Via A2 Hosting

• A2 Hosting provides a variety of services including a temporary domain service which can be used to host any kind of website without registering any new domain.
• It has various flexible plans (of different prices) but it does not provide any free services.

[caption id="attachment_21946" align="alignnone" width="1495"] Screenshot of the services offered by A2 Hosting[/caption] Similar Phishing Campaigns

• Scammers are rapidly adopting newer technologies and abusing services/features provided by various SaaS platforms.
• In 2022, CloudSEK observed a new trend of abusing domain forwarding services(mostly freemium) offered by web hosting providers to host phishing pages.
• These campaigns are usually targeted at Indian banking customers.
• Previously the following services were abused by threat actors for their campaigns:
• Reverse tunneling services offered by nGrok, TryCloudflare, LocalHostRun and more.
• Cloudflare Pages
• Hostinger’s Preview Domain

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia

Appendix

[caption id="attachment_21947" align="alignnone" width="1468"] Screenshot of the phishing website used by scammers to steal customers’ net banking credentials[/caption]   [caption id="attachment_21948" align="alignnone" width="1538"] Minimal cost (in INR) to host a website in A2 Hosting with Temporary Domain Service[/caption]   [caption id="attachment_21949" align="alignnone" width="1912"] Screenshot of the price structure offered by A2 Hosting[/caption]