HQ/EMEAFind out how we can help your business
The newly discovered Morphing Meerkat phishing-as-a-service (PhaaS) platform uses Domain Name System (DNS) mail exchange (MX) records to serve phoney login pages that can impersonate about 114 brands.
Based on reports, the threat actor behind the campaigns frequently exploits open redirection on ad tech domains, compromises infrastructure for phishing distribution, and distributes stolen credentials through various channels, including Telegram.
Separate research also documented one such campaign using the PhaaS toolkit in July last year. In this instance, phishing emails contained links to a supposedly shared document that, when clicked, directed the recipient to a fake login page hosted on Cloudflare R2.
In addition, the campaign’s primary objective is to collect and exfiltrate credentials via Telegram.
Morphing Meerkat spreads its phishing messages through spam emails.
Morphing Meerkat allegedly distributes hundreds of spam emails. These emails contain phishing messages that leverage hijacked WordPress websites and open redirect vulnerabilities on ad systems like Google’s DoubleClick to avoid security checks.
Additionally, it can dynamically translate phishing material text into over a dozen languages, such as English, Chinese, Russian, Korean, Spanish, German, and Japanese. This capability allows it to target various consumers worldwide.
In addition to complicating code readability through obfuscation and inflation, the phishing landing pages include anti-analysis measures that prevent the use of mouse right-click and keyboard hotkey combinations Ctrl + S (save the web page as HTML) and Ctrl + U (open the web page source code).
However, this new tool is unique because it allows its operators to use DNS MX records collected from Cloudflare or Google to determine the victim’s email service provider and dynamically serve false login pages.
If the phishing kit cannot recognise the MX record, it will redirect to the Roundcube login page.
Furthermore, this attack strategy benefits threat actors by enabling them to execute targeted attacks on victims by showing online information tied to their email service provider.
The overall phishing operation seems seamless, as the landing page’s appearance is congruent with the spam email’s message. This method allows the actor to deceive the victim into giving their email credentials through the phishing platform.
