Our team on iZOOlogic has recently spotted malicious operators having an ongoing exploit with Hostinger’s preview domain feature to host phishing websites.
The domain “preview-domain[.]com”, owned by Hostinger International and registered in 2019, is a service offering website preview provider once a customer purchases hosting services. Users can access the site via the preview domain feature even if it is not yet available to the public.
Phishing operators can manifest fake domains by utilising domain providers or registrars. They can also execute attacks by availing of the Hostinger plan to misuse the preview-domain feature and spread their phishing domain. Subsequently, the preview URL will be available for 120 hours starting from its build-up account.
Several malicious phishing operators currently utilise “preview-domain” to bypass security detections.
However, these preview domains are quickly detected by banks using real-time monitoring detections. Fortunately, experts from our cybersecurity team operated an immediate process to take down these incidents after affected entities reported them to us.
As we initiated forensic analysis on the incident, we found that the format for this phishing scheme included the preview-domain coded as domain-tld[.]preview-domain[.]com. In addition, the domain-tld can be stored with any hosting registrars and providers.
Based on our tallied encounters, about 90% of domains are hosted under Hostinger, and the registry provider is either the XYZ registry or Radix Registry. Unfortunately, only a tiny portion of this domain uses the [.]com TLD or other TLDs.
We have constantly battled similar phishing schemes like this incident since approximately eight to ten phishing websites are reported to us daily.
When accessed by victims, the phishing site is like an authentic login page of the targeted bank because it includes all official logos and banners. Therefore, most users could be tricked because they will be redirected to a convincing login phishing page.
Nonetheless, our analysts have given tips on how to spot these malicious web pages. For one, most phishing websites appear zoomed in when rendered on the browser, unlike their original counterparts.
Credentials such as username, password, and contact numbers are the common data requested from the phishing login forms. Once the victims provide these details, the page will be redirected to an OTP page asking for the OTP PIN that the actors sent to the given contact numbers.
Usually, when we receive these preview-domain-related incidents, it is automatically a two-phishing instance that includes the primary domain that can be extracted using the URL with the “preview-domain.” However, there are scenarios where the introductory part is already inactive, but their preview domain is still up.
We here in iZOOlogic recommend that users immediately report these exploits to our security experts to mitigate similar phishing incidents.
