Hackers Leveraging DNS MX Records To Dynamically Create Fake Logins Mimic as 100+ Brands

The phishing kit performs a DNS MX record lookup using DNS over HTTPS (DoH) services from Google or Cloudflare, allowing it to precisely identify the victim’s email service provider without maintaining an extensive domain mapping database. A sophisticated phishing operation has emerged that creatively leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims’ email providers. The attack can mimic over 100 brands and represents a significant evolution in phishing techniques, creating highly convincing impersonations that are difficult for users to distinguish from legitimate login pages. The links often point to compromised WordPress websites, fraudulent accounts on free web hosting services, or exploit open redirects on advertising networks to bypass email security systems. To evade detection, the kit employs multiple security techniques, including code obfuscation, keyboard monitoring to prevent inspection, and intelligent redirects to legitimate websites after credential theft. What makes this campaign particularly dangerous is its ability to serve one of 114 different brand-specific phishing templates based on the victim’s email domain. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The phishing kit then maps the returned MX record to a matching phishing template, automatically filling the username field with the victim’s email address. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The threat begins with spam emails containing malicious links that redirect victims through a series of steps to the phishing landing page. Infoblox researchers identified the threat actor behind this operation as “Morphing Meerkat,” which appears to operate a sophisticated Phishing-as-a-Service (PhaaS) platform. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Researchers has identified a novel mobile banking Trojan, designated "Crocodilus," marking a significant advancement in the evolution of Android-targeted malware. If the victim submits their credentials, the data is exfiltrated to the attackers via email, PHP scripts, AJAX requests, or messaging platforms like Telegram.

This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 29 Mar 2025 05:55:06 +0000


Cyber News related to Hackers Leveraging DNS MX Records To Dynamically Create Fake Logins Mimic as 100+ Brands

How to Prevent DNS Attacks: DNS Security Best Practices - To protect against attack, best practices must be applied to protect the DNS protocol, the server on which the DNS protocol runs, and all access to the DNS processes. Implementing these best practices will not only protect DNS but also network ...
1 year ago Esecurityplanet.com
CVE-2022-49069 - In the Linux kernel, the following vulnerability has been resolved: ...
3 months ago
Electronic Frontier Foundation - We're not just talking about the ballot box, but the everyday power we all have to demand government agencies make their records and data available to public scrutiny. At every level of government in the United States, there are laws that empower the ...
1 year ago Eff.org
Hackers Leveraging DNS MX Records To Dynamically Create Fake Logins Mimic as 100+ Brands - The phishing kit performs a DNS MX record lookup using DNS over HTTPS (DoH) services from Google or Cloudflare, allowing it to precisely identify the victim’s email service provider without maintaining an extensive domain mapping database. A ...
2 months ago Cybersecuritynews.com
Understanding DNS Zones: A Comprehensive Guide - DNS stands for Domain Name System, and it is one of the most important components of the Internet. It is a network of servers that coordinates the registration, updating and resolution of domain names, so that users can easily access websites and ...
2 years ago Heimdalsecurity.com
Attacks abuse Microsoft DHCP to spoof DNS records The Register - A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers. We're told the attacks - which are ...
1 year ago Go.theregister.com
DNS Tunneling Abuse Expands to Tracking & Scanning Victims - Attackers are taking malicious manipulation of DNS traffic to the next level, abusing DNS tunneling to scan a victim's network infrastructure as well as track victims' online behavior. Researchers from Palo Alto Networks' Unit 42 have identified ...
1 year ago Darkreading.com
Using Passive DNS To Trace Command And Control Infrastructure - When a security team discovers a suspicious domain or IP address, passive DNS allows them to trace its historical connections and uncover the broader infrastructure used by the threat actor. Finally, security teams should combine passive DNS ...
1 month ago Cybersecuritynews.com Hunters
Hackers use DNS tunneling for network scanning, tracking victims - Threat actors are using Domain Name System tunneling to track when their targets open phishing emails and click on malicious links, and to scan networks for potential vulnerabilities. DNS tunneling is the encoding of data or commands that are sent ...
1 year ago Bleepingcomputer.com
Data Breaches in US Schools Exposed 37.6M Records - Since 2005, educational institutions in the United States have experienced 3713 data breaches, impacting over 37.6m records. According to new data by Comparitech, 2023 marked a record year, with 954 breaches recorded - a dramatic rise from 139 in ...
1 year ago Infosecurity-magazine.com
CVE-2024-7715 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, ...
9 months ago
CVE-2024-7828 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, ...
9 months ago
CVE-2024-7829 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, ...
9 months ago
CVE-2024-7830 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, ...
9 months ago
CVE-2024-7831 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, ...
9 months ago
CVE-2024-7832 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, ...
9 months ago
CVE-2024-7849 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, ...
9 months ago
CVE-2024-7922 - A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to ...
9 months ago
CVE-2024-8127 - A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and ...
9 months ago
CVE-2024-8128 - A vulnerability, which was classified as critical, has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, ...
9 months ago
CVE-2024-8129 - A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, ...
9 months ago
CVE-2024-8130 - A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to ...
9 months ago
CVE-2024-8131 - A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to ...
9 months ago
CVE-2024-8132 - A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to ...
9 months ago
CVE-2024-8133 - A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to ...
9 months ago