Morphing Meerkat Phishing Kits Exploit DNS MX Records

Threat actors have discovered a new phishing-as-a-service (PhaaS) platform called Morphing Meerkat, which exploits DNS mail exchange (MX) records to deliver spoofed login pages targeting over 100 brands. This sophisticated attack uses the same tactics and core resources for an extended period, making it challenging to detect at scale.

The phishing-as-a-service (PhaaS) platform behind Morphing Meerkat kits has been active for at least five years. It consistently employs the same tactics and core resources, yet its use of MX records for phishing has remained largely unreported. This suggests a centralized phishing-as-a-service (PhaaS) platform rather than multiple independent actors.

Attackers are exploiting DNS techniques to enhance phishing attacks using MX records to dynamically serve spoofed login pages. They also abuse open redirects, compromised domains, and distribute stolen credentials via Telegram. The platform uses Cloudflare and Google DNS over HTTPS to tailor phishing pages by loading HTML based on the victim's email provider's MX records.

Morphing Meerkat has expanded its library of templates from five original designs in 2020 to 114 different brand designs. The platform can dynamically load phishing pages based on DNS MX records and translate text based on the victim's web profile, enabling large-scale attacks across different regions.

The Morphing Meerkat phishing kits use generic or spoofed logos, often impersonating banks or shipping services with scare tactics. They embed links in compromised sites, URL shorteners, and abuse DoubleClick's open redirects to evade detection. The platform tailors phishing pages by dynamically loading HTML based on the victim's email provider's MX records.

Morphing Meerkat exploits open redirects on ad tech platforms like Google DoubleClick, using fake domains and compromised sites. It queries the victim's email domain's MX record via DoH (Google/Cloudflare) to load a tailored phishing page with the email pre-filled for credibility.

The Morphing Meerkat phaaS platform blocks security analysis, obfuscates code, and dynamically serves phishing pages based on DNS MX records. The platform supports more than 114 login templates and harvests credentials via email, PHP scripts, AJAX, or Telegram, often deleting evidence in real time.

"Morphing Meerkat is another example of a long-running operation that is difficult to detect at scale," concludes the report. "They know where security blind spots are and have been exploiting them via open redirects on adtech, DoH communication, and popular file sharing services."