Once the victim reaches the final destination, the phishing kit loads and queries the victim’s email domain’s MX record using DoH via Google or Cloudflare. When the victim clicks a link in a phishing email, the kit is loaded on their browser and makes a DNS query to Google or Cloudflare to find the MX records of their email domain. When entering the credentials for the first time, an error message reading “Invalid Password.! Please enter email correct password” is served to get the victim to type the password again, thus making sure that the data is correct. If the victim clicks on the malicious link in the message, they go through a chain of open redirect exploits on ad tech platforms like Google DoubleClick, frequently involving compromised WordPress sites, fake domains, and free hosting services. A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection. Morphing Meerkat is a PhaaS platform providing a complete toolkit for launching effective, scalable, and evasive phishing attacks that require minimal technical knowledge. With the email provider identified from the MX record, the phishing kit can then dynamically serve the matching phishing kit to the victim. Once the victim enters their credentials, these are exfiltrated to the threat actors via AJAX requests to external servers and PHP scripts hosted on the phishing pages. The platform also leverages DNS email exchange (MX) records to identify victims’ email providers and to dynamically serve spoofed login pages for more than 114 brands. Based on the result, the kit loads a fake login page with the victim's email address filled automatically. One recommended line of defense against this type of threat is tighter "DNS control so that users cannot communicate with DoH servers or blocking user access to adtech and file sharing infrastructure not critical to the business," Infoblox says. An MX (Mail Exchange) record is a type of DNS record that tells the internet which server handles email for a given domain. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The use of DoH and DNS MX makes Morphing Meerkat stand out from similar cybercrime tools as these are advanced techniques that offer significant operational benefits. Morphing Meerkat has been active since at least 2020 and it was discovered by security researchers at Infoblox. The complete indicators of compromise (IoC) associated with Morphing Meerkat activity were made public on this GitHub repository.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 28 Mar 2025 16:35:04 +0000