Threat actors are using Hostinger’s preview domains feature to target Indian banking customers in a new phishing campaign. The feature in the hosting provider allows threat actors to access a site before it is publicly available, allowing them to view website content before a domain is assigned to it.

What are preview domain URLs?

In the Hostinger preview URL scheme, domain-tld.preview-domain[.]com is the temporary mirror of the root domain. After creating an account, the preview URLs are active for a maximum of 120 hours.
Examples of Hostinger’s preview domain feature abused to launch phishing campaigns can be accessed in the list here.

Attack methodology

When a new domain is registered on Hostinger, it may take 12–24 hours for it to become operational globally.
  • These 12-24 hours aka DNS Zone Propagation time is the time between when a domain is registered and when it becomes globally available. 
  • Researchers believe the threat actors made use of the propagation time and the preview domain feature to distribute phishing URLs and campaigns to defraud Indian banking users.
  • Texts, emails, and social media are used to disseminate the campaigns hosted on phishing domains.

The bank's real-time monitoring tool, which usually allows it to swiftly identify and take down phishing sites, has likely been missing the phishing effort of cybercriminals.

Similar attack

Trustwave SpiderLabs researchers last month issued a warning about an increase in phishing attacks using the decentralized IPFS Network, which is quickly becoming the new hotspot for hosting phishing sites. 


Threat actors continue to use different methods to carry out successful phishing campaigns. Researchers suggest identifying and removing duplicate domains, as well as monitoring previously removed malicious domains, can help companies mitigate the impact of these attacks.
Cyware Publisher