Hackers Exploit DNS MX Records to Create Fake Logins Imitating 100+ Brands

Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed “Morphing Meerkat,” that leverages DNS mail exchange (MX) records to dynamically serve tailored phishing pages mimicking over 100 brands.

The platform, which has been operational since at least January 2020, employs a range of advanced techniques to evade detection and maximize the effectiveness of its phishing campaigns.

DNS Abuse and Dynamic Content Delivery

At the core of Morphing Meerkat’s operation is its innovative use of DNS MX records.

The platform queries the MX record of a victim’s email domain using DNS over HTTPS (DoH) services from providers like Cloudflare and Google.

It then uses this information to dynamically load a phishing template that closely matches the victim’s email service provider, creating a more convincing and personalized phishing experience.

The PhaaS platform maintains a library of at least 114 unique email brand and login designs, allowing it to accurately spoof a wide range of email services.

This technique enables the attackers to conduct highly targeted phishing campaigns at scale, increasing the likelihood of successful credential theft.

Evasion Techniques and Global Reach

Morphing Meerkat employs multiple security evasion features to hinder threat analysis and bypass phishing protection systems.

According to the Report, these include code obfuscation, inflation of script size with non-functional code, and exploitation of open redirects on adtech infrastructure.

The platform also uses client-side email libraries and messaging app APIs to exfiltrate stolen credentials, making detection more challenging.

The PhaaS operation has a global reach, with the ability to dynamically translate phishing content into over a dozen languages based on the victim’s browser settings.

This multilingual capability, combined with the use of compromised WordPress sites and free web hosting services for distribution, allows the attackers to target users worldwide effectively.

The discovery of Morphing Meerkat highlights the evolving sophistication of phishing attacks and the need for enhanced DNS security measures.

Organizations are advised to implement strong DNS controls, limit access to non-essential services, and educate users about the risks of phishing attempts that may closely mimic legitimate login pages.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.