A phishing-as-a-service (PhaaS) platform has been observed generating phishing kits that use DNS mail exchange (MX) records to serve fake login pages spoofing over 100 brands, cybersecurity company Infoblox reports.
The platform, likely operated by a threat actor tracked as Morphing Meerkat, provides users with services such as mass spam delivery, email security system bypass, and obfuscation.
According to Infoblox, the threat actor exploits open redirect vulnerabilities on adtech infrastructure, uses compromised domains to send phishing emails, and distributes stolen credentials via email and chat services.
Phishing kits generated by the PhaaS platform and used in attacks for roughly five years show consistent behavior, indicating that they are the product of a single threat actor, with the observed activity seemingly centralized, mainly around two internet services providers (ISPs): iomart (UK) and HostPapa (US).
Morphing Meerkat’s platform uses compromised WordPress sites to redirect victims, relies on DNS MX records to identify email services providers and dynamically serve phishing pages, and dynamically translates the phishing content in over a dozen languages, Infoblox has discovered.
“Virtually all Morphing Meerkat attacks target email user login credentials, and the developers of the PhaaS platform appear to have designed it specifically for this kind of activity,” the cybersecurity firm notes.
The activity likely started around January 2020, spoofing Gmail, Outlook, AOL, Office 365, and Yahoo, and has since evolved significantly, now dynamically loading web templates that spoof 114 different brands.
Morphing Meerkat’s PhaaS platform has been targeting internet users at scale, globally, relying on a translation JavaScript module to convert the text to the victim’s browser language. Victims include high-profile professionals at financial services software companies.
The phishing emails display a generic icon or image for the victim’s email services provider, with some of the messages spoofing logistics shipping services or banking organizations. Scare tactics are employed to create a sense of urgency and convince the victim to click an included link.
To evade detection, the phishing messages contain links to compromised websites, URL shorteners, or free services, they abuse adtech infrastructure for redirection, and exploit open redirect vulnerabilities in the Google-owned ad network DoubleClick.
To deliver targeted attacks, the platform dynamically loads HTML code based on the email service’s DNS MX record, resulting in highly convincing phishing pages that display content consistent with the email service. Cloudflare and Google DNS over HTTPS (DoH) are used for this activity.
Harvested credentials are sent to the attackers via email, PHP scripts on the site, Asynchronous JavaScript and XML (AJAX) requests for remote transfers, or web API hooks for communication over text channels.
Related: Microsoft 365 Targeted in New Phishing, Account Takeover Attacks
Related: Chinese Hackers Have Been Probing DNS Networks Globally for Years: Report
Related: Russian State Hackers Target Organizations With Device Code Phishing
Related: Fake DeepSeek Sites Used for Credential Phishing, Crypto Theft, Scams
