Digital Risk Management firm, CloudSEK, discovered a new phishing attack by an unknown malicious actor. The attack has been linked to Hostinger’s preview domain feature, which allows users to access a site before it is available to everyone.
Hostinger is a popular hosting and domain registrar with over 24 million users. As a hosting provider, one of its features allows users to view an unfinished website with an attached domain.
The hackers exploited the domain’s DNS Zone Propagation time, which is the time between when a domain is registered and becomes available globally. Depending on the domain provider, the DNS Zone Propagation time is different. As for Hostinger, the propagation time is somewhere between 12 to 24 hours.
Hostinger’s preview domain exploited
According to a post by Infosecurity Magazine, the unknown threat actor exploited the DNS Zone Propagation time and distributed phishing URLs and campaigns. The main target of the exploit was bank users in India, who received phishing emails and texts through the preview domains.
The post also stated the nature of preview domains, saying, “preview domain URLs are temporary mirrors of their root domains, with the Hostinger preview URL scheme being domain-tld.preview-domain.com.”
The preview URLs of these unfinished websites stay available for up to 120 hours, and hackers use this timeframe to launch a phishing attack on users, who’re more likely prone to fall for these tricks.
CloudSEK expresses concern
CloudSEK has shared its concern over Hostinger’s preview domain feature exploit. The company urged firms to monitor similar-looking domains and take down suspicious ones before they could do more harm. These attacks usually stem from a simple-looking website or a page that tricks users into thinking they are using the official website. However, by simply changing the website’s design, text, and links, hackers exploit users into giving them personal and financial information, which becomes an ordeal for users, who usually get drained of their bank balances.