Hackers Exploit Hostinger’s Preview Domain Feature to Launch Phishing Campaigns
A team of security researchers from CloudSEK has reportedly discovered a new phishing technique being leveraged by threat actors to target banking customers in India. The phishing campaign is operating via preview domains from the hosting provider Hostinger. The feature allows access to a certain site before it is accessible globally. This means that users can view website content without a domain, after creating an account and adding a domain. In the period between when the domain is registered and when it becomes globally available, a threat actor could preview the domain feature to distribute phishing URls and campaigns. This period is called the DNS Zone Propagation time, and typically lasts between 12 and 24 hours.
Threat actors have been consistently targeting Indian banking users, according to CloudSEK. The preview domain URLs are temporary mirrors of the legitimate root domains, with the Hostinger preview URL scheme having its own address. Security researchers stated that the preview URLs are available roughly 120 hours after setting up an account. CloudSEK has recommended that companies deploy measures that seek to identify and remove copy-car domains to keep users safe from this threat.