Cybersecurity researchers shed light on a new phishing As-a-Service (PHAAS) platform that leverages Domain Name System (DNS) Mail Exchange (MX) records, offering fake login pages that impersonate around 114 brands.
DNS Intelligence Firm Infoblox tracks the actors behind related activities under the monikers morphing Phaas, Phishing Kit, and Meerkat.
“The threat actors behind campaigns often leverage open redirection in Adtech infrastructure, compromise the domain of phishing distribution and distribute stolen qualifications through several mechanisms, including Telegram.”
One such campaign that utilizes the PHAAS toolkit was documented by ForcePoint in July 2024. The phishing emails included a link to a shared document that, when clicked, achieved its goal of collecting and extracting credentials via Telegram, and directing recipients to a fake login page hosted on CloudFlare R2.
It is estimated that Meerkat morphing used phishing messages using compromised WordPress websites and delivered thousands of spam emails when opening vulnerabilities on advertising platforms such as bypass security filters from Google-owned DoubleClick.
You can also translate phishing content text into over 12 different languages, including English, Korean, Spanish, Russian, German, Chinese and Japanese, targeting users around the world.
In addition to complicating code readability via obfuscation and inflation, the phishing landing page incorporates anti-analytic measurements that prohibit the right-click mouse and keyboard hotkey combination CTRL+s (save web pages as HTML). CTRL + U (Open the web page source code).
But what really sets threat actors apart is the use of DNS MX records obtained from CloudFlare or Google to identify the victim’s email service provider (such as Gmail, Microsoft Outlook, or Yahoo!) and provide fake login pages dynamically. If the phishing kit cannot recognize MX records, the default is the RoundCube login page.
“This attack method is advantageous for bad actors as it allows targeted attacks against victims by displaying web content that is strongly related to email service providers,” Infoblox said. “
“The overall phishing experience feels natural as the design of the landing page matches the spam email message. This technique helps actors trick victims through phishing web forms and submit e-mail qualifications.”
Source link
