Researchers specializing in cybersecurity have provided insight into a novel phishing-as-a-service (PhaaS) platform, which utilizes Domain Name System (DNS) mail exchange (MX) records to deliver fake login pages impersonating approximately 114 brands.
Infoblox, a DNS intelligence firm, is monitoring the actor behind the PhaaS, the phishing kit, and related activities under the designation Morphing Meerkat.
According to the company’s report, “The threat actor behind the campaigns frequently exploits open redirects on adtech infrastructure, compromises domains for phishing distribution, and distributes stolen credentials through several mechanisms, including Telegram.”
A campaign leveraging the PhaaS toolkit was documented by Forcepoint in July 2024, where phishing emails contained links to a purported shared document that, when clicked, directed the recipient to a fake login page hosted on Cloudflare R2, ultimately collecting and exfiltrating credentials via Telegram.
The Morphing Meerkat is estimated to have delivered thousands of spam emails, using compromised WordPress websites and open redirect vulnerabilities on advertising platforms like Google-owned DoubleClick to bypass security filters.
Additionally, it can dynamically translate phishing content text into over a dozen languages, including English, Korean, Spanish, Russian, German, Chinese, and Japanese, to target users worldwide.
The phishing landing pages incorporate anti-analysis measures, such as prohibitions on mouse right-click and keyboard hotkey combinations Ctrl + S and Ctrl + U, to complicate code readability via obfuscation and inflation.
What makes the threat actor stand out is its use of DNS MX records obtained from Cloudflare or Google to identify the victim’s email service provider and dynamically serve fake login pages. If the phishing kit is unable to recognize the MX record, it defaults to a Roundcube login page.
Infoblox stated, “This attack method is advantageous to bad actors as it enables them to carry out targeted attacks on victims by displaying web content strongly related to their email service provider.”
“The overall phishing experience feels natural because the design of the landing page is consistent with the spam email’s message, helping the actor trick the victim into submitting their email credentials via the phishing web form.”
