A sophisticated phishing-as-a-service (PhaaS) platform, dubbed “Morphing Meerkat” by researchers, has been discovered leveraging DNS mail exchange (MX) records to dynamically serve fake login pages for over 100 brands.
The platform, which has been operational since at least January 2020, employs a range of advanced techniques to evade detection and target users globally.
The PhaaS operation utilizes DNS over HTTPS (DoH) to query MX records of victims’ email domains, allowing it to dynamically load phishing templates that closely mimic the legitimate login pages of the targeted email service providers.
This technique enables the threat actors to personalize the phishing experience and increase the likelihood of credential theft.
Evasion Tactics and Global Reach
Morphing Meerkat employs multiple evasion tactics to bypass security systems and hinder analysis. These include exploiting open redirects on adtech infrastructure, using compromised WordPress sites, and leveraging free web hosting services.
According to the Report, The phishing kits also implement anti-analysis features such as blocking keyboard shortcuts and right-clicks, as well as employing heavy code obfuscation and inflation.
The platform’s global reach is facilitated by a translation module that can convert phishing page text into over a dozen languages based on the victim’s browser settings.
This allows the threat actors to target users worldwide with localized content.
Credential Harvesting and Distribution
The PhaaS platform offers multiple methods for collecting and distributing stolen credentials, including email delivery using the EmailJS library, PHP scripts, AJAX requests, and communication with messaging platforms like Telegram.
These varied exfiltration techniques provide flexibility for the threat actors using the service.
Researchers have observed thousands of spam emails associated with Morphing Meerkat campaigns, with a significant portion originating from specific internet service providers.
This centralized distribution pattern strongly suggests the operation of a common PhaaS system rather than individual threat actors adopting the same phishing kit.
The discovery of Morphing Meerkat highlights the evolving sophistication of phishing operations and the need for enhanced DNS security measures.
Organizations are advised to implement strong DNS controls, limit access to non-essential services, and maintain vigilance against these advanced phishing techniques that exploit DNS infrastructure.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
.webp?w=1200&resize=1200,0&ssl=1&description=A sophisticated phishing-as-a-service (PhaaS) platform, dubbed "Morphing Meerkat" by researchers, has been discovered leveraging.){kind=link}