The phishing kit performs a DNS MX record lookup using DNS over HTTPS (DoH) services from Google or Cloudflare, allowing it to precisely identify the victim’s email service provider without maintaining an extensive domain mapping database. A sophisticated phishing operation has emerged that creatively leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims’ email providers. The attack can mimic over 100 brands and represents a significant evolution in phishing techniques, creating highly convincing impersonations that are difficult for users to distinguish from legitimate login pages. The links often point to compromised WordPress websites, fraudulent accounts on free web hosting services, or exploit open redirects on advertising networks to bypass email security systems. To evade detection, the kit employs multiple security techniques, including code obfuscation, keyboard monitoring to prevent inspection, and intelligent redirects to legitimate websites after credential theft. What makes this campaign particularly dangerous is its ability to serve one of 114 different brand-specific phishing templates based on the victim’s email domain. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The phishing kit then maps the returned MX record to a matching phishing template, automatically filling the username field with the victim’s email address. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The threat begins with spam emails containing malicious links that redirect victims through a series of steps to the phishing landing page. Infoblox researchers identified the threat actor behind this operation as “Morphing Meerkat,” which appears to operate a sophisticated Phishing-as-a-Service (PhaaS) platform. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Researchers has identified a novel mobile banking Trojan, designated "Crocodilus," marking a significant advancement in the evolution of Android-targeted malware. If the victim submits their credentials, the data is exfiltrated to the attackers via email, PHP scripts, AJAX requests, or messaging platforms like Telegram.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 29 Mar 2025 05:55:06 +0000