Morphing Meerkat PhaaS Platform Spoofs 100+ Brands
Summary:
A sophisticated Phishing-as-a-Service platform, identified by Infoblox Threat Intelligence and dubbed Morphing Meerkat, has been observed spoofing over 100 well-known brands in order to steal user credentials through dynamic and highly evasive phishing attacks. This platform employs a novel DNS-based technique that abuses mail exchange records to craft highly convincing fake login pages tailored to each victim. When a target clicks on a phishing link, the phishing kit queries the MX record of the victim’s email domain to determine which email service provider they use. It then dynamically generates a login page that closely resembles the real login portal of that specific provider, significantly increasing the likelihood of capturing valid credentials.
First seen in 2020, the initial version of the Morphing Meerkat kit supported phishing templates for five email brands and lacked multilingual capabilities. However, the kit has evolved significantly since then. As of July 2023, it could not only dynamically generate fake login pages based on MX records but also detect the user’s web profile and display phishing content in over a dozen languages. It now supports 114 different brand designs, showcasing its rapid development and increased effectiveness.
Security Officer Comments:
Infoblox reports that thousands of spam emails have been distributed using this platform, indicating a wide-reaching and ongoing campaign. The phishing kit includes a range of security evasion techniques uncommon in similar kits. These include open redirect abuse on adtech infrastructure, code obfuscation to prevent detection and analysis, and a mechanism that redirects the user to the legitimate login page after a few failed login attempts to avoid raising suspicion. One of the most concerning aspects is how the platform exemplifies “living off the land” techniques, leveraging existing DNS infrastructure and configurations intended for legitimate purposes to deliver malicious content and evade security controls. Infoblox warns that without proper DNS security measures in place, organizations remain highly vulnerable to such attacks.
Suggested Corrections:
Infoblox noted that the Morphing Meerkat phishing kit shows how cybercriminals exploit security blind spots using advanced techniques like DNS cloaking and open redirects.
Organizations can protect themselves against these kinds of attacks by adding a strong layer of DNS security to their systems.
This involves tightening DNS control so that users cannot communicate with DoH servers or blocking user access to adtech and file sharing infrastructure not critical to the business.
If companies can reduce the number of unimportant services in their network, they can reduce their attack surface, giving fewer options to cybercriminals for threat delivery, Infoblox concluded.
Link(s):
https://www.infosecurity-magazine.com/news/morphing-meerkat-phaas-platform/
A sophisticated Phishing-as-a-Service platform, identified by Infoblox Threat Intelligence and dubbed Morphing Meerkat, has been observed spoofing over 100 well-known brands in order to steal user credentials through dynamic and highly evasive phishing attacks. This platform employs a novel DNS-based technique that abuses mail exchange records to craft highly convincing fake login pages tailored to each victim. When a target clicks on a phishing link, the phishing kit queries the MX record of the victim’s email domain to determine which email service provider they use. It then dynamically generates a login page that closely resembles the real login portal of that specific provider, significantly increasing the likelihood of capturing valid credentials.
First seen in 2020, the initial version of the Morphing Meerkat kit supported phishing templates for five email brands and lacked multilingual capabilities. However, the kit has evolved significantly since then. As of July 2023, it could not only dynamically generate fake login pages based on MX records but also detect the user’s web profile and display phishing content in over a dozen languages. It now supports 114 different brand designs, showcasing its rapid development and increased effectiveness.
Security Officer Comments:
Infoblox reports that thousands of spam emails have been distributed using this platform, indicating a wide-reaching and ongoing campaign. The phishing kit includes a range of security evasion techniques uncommon in similar kits. These include open redirect abuse on adtech infrastructure, code obfuscation to prevent detection and analysis, and a mechanism that redirects the user to the legitimate login page after a few failed login attempts to avoid raising suspicion. One of the most concerning aspects is how the platform exemplifies “living off the land” techniques, leveraging existing DNS infrastructure and configurations intended for legitimate purposes to deliver malicious content and evade security controls. Infoblox warns that without proper DNS security measures in place, organizations remain highly vulnerable to such attacks.
Suggested Corrections:
Infoblox noted that the Morphing Meerkat phishing kit shows how cybercriminals exploit security blind spots using advanced techniques like DNS cloaking and open redirects.
Organizations can protect themselves against these kinds of attacks by adding a strong layer of DNS security to their systems.
This involves tightening DNS control so that users cannot communicate with DoH servers or blocking user access to adtech and file sharing infrastructure not critical to the business.
If companies can reduce the number of unimportant services in their network, they can reduce their attack surface, giving fewer options to cybercriminals for threat delivery, Infoblox concluded.
Link(s):
https://www.infosecurity-magazine.com/news/morphing-meerkat-phaas-platform/