Cybersecurity researchers have identified a new phishing-as-a-service (PhaaS) platform that targets 114 brands. This platform uses DNS mail exchange (MX) records to host fake login pages that appear legitimate. The phishing campaigns are traced back to a threat actor called Morphing Meerkat, who operates using compromised domains and phishing kits. These attacks are delivered via spam emails and open redirects on ad-tech platforms, including Google’s DoubleClick.
Morphing Meerkat uses phishing kits that dynamically translate content into multiple languages, such as English, Russian, Spanish, and more.
This enables the attacker to target users globally, making the campaign more effective. The threat actor also obfuscates code and uses anti-analysis measures, including disabling right-click functions and keyboard shortcuts, to complicate detection.
These techniques prevent users from easily saving or inspecting the page’s source code.
The PhaaS toolkit includes advanced features that make it harder for security systems to identify and block phishing attempts. One notable aspect is the use of DNS MX records obtained from Cloudflare or Google. This allows the attacker to detect the victim’s email service provider, such as Gmail or Yahoo!, and serve phishing pages tailored to that provider. This dynamic approach helps increase the credibility of the phishing attempt and enhances its chances of success.
The phishing campaigns are carefully crafted to mimic legitimate login pages, making them difficult to distinguish from authentic ones. This technique allows the attacker to collect sensitive credentials by tricking victims into submitting their information. Researchers emphasize the sophistication of the Morphing Meerkat operation, which continues to evolve and adapt to bypass security filters and avoid detection.
