A team of security researchers from CloudSEK have reportedly discovered a new phishing technique that threat actors are exploiting to target banking customers in India. The phishing campaign works through Hostinger hosting provider preview domains. The feature allows access to a certain site before it is globally accessible. This means that users can view website content without a domain, after creating an account and adding a domain. Between the time the domain is registered and the time it becomes available globally, a malicious actor could preview the functionality of the domain to distribute URLs and phishing campaigns. This period is called the DNS zone propagation time and usually lasts between 12 and 24 hours.
Threat actors have consistently targeted Indian banking users, according to CloudSEK. Preview domain URLs are temporary mirrors of legitimate root domains, with the Hostinger preview URL scheme having its own address. Security researchers said preview URLs are available approximately 120 hours after an account is created. CloudSEK recommended that companies deploy measures to identify and remove copied domains to protect users from this threat.