Security researchers have uncovered a Phishing-as-a-Service (PhaaS) platform, Morphing Meerkat, that has been stealing login credentials for users at hundreds of email services for years by using DNS mail exchange (MX) records to create hyper-personalised fake login pages.
The PhaaS platform has duped users into handing over logins for at least 114 brands according to researchers at Infoblox, using dodgy URLs in spam emails that bring victims to a dynamically loaded login page that can even be translated to the language found in their web profile.
Infoblox said: "Morphing Meerkat campaigns operate globally and reach users in many different languages. To target victims at scale, the phishing kits use a translation JavaScript module that can convert the text in the phishing webpage to the preferred language set in the victim’s browser."
The phishing kits offered by the PhaaS platform have been in use since as early as January 2020 according to Infoblox, but have not previously been identified thanks to a larger than usual toolkit of evasion features.
Researchers said the platform is "relatively advanced" and offers services including mass spam delivery and delivery of stolen credentials via multiple channels.
Its security features also use redirect vulnerabilities on legitimate adtech servers to trick security systems, and deliver users to a legitimate login page once the system has logged their details to avert suspicion.
Obfuscated and overly dense code also allows the kits to hide the real functions of code and waste investigators' time said Infobox.
"It will often encode scripts in Base64, convert ASCIIcode characters to decimal values, randomly place values in a long array and index them later in the script, use non-human readable variable names, or any combination of these methods."
See also: Phishing was still wildly effective in 2024: Consider 4 things...
What makes Morphing Meerkat phishing kits really stand out though is the use of DNS MX records, the tool that directs emails to the correct mail server, to identify the victim's email provider.
Infobox explained: "After the phishing kit retrieves the MX record, it uses a custom dictionary to load a phishing HTML file associated with the record. This dictionary maps the MX record name and its relevant phishing HTML file."
Pulling from this dictionary to create login pages that look familiar "highlights the lengths to which this actor goes to personalize the phishing experience" said the researchers.
Morphing Meerkat's techniques highlight the growing sophistication of phishing campaigns as threat actors seek to outperform new security measures and increased awareness of social engineering tricks.
Some old habits do die hard with the PhaaS platform reportedly using scare tactics in its spam emails and URL shorteners to lure in victims.
How to protect against a sophisticated actor then? Mustafa Kivanc Demirsoy, founder of cybersecurity and penetration testing company WeHack, shared tips including auditing and hardening email infrastructure, implementing MFA and also verifying how its used, and continuing the sort of real-world phishing tests many IT teams have become accustomed to sending out.
Infobox goes one step deeper, advising companies to tighten their DNS control so users "cannot communicate with DoH servers or" and block user access to non-critical adtech and file sharing infrastructure.
