A sophisticated Phishing-as-a-Service (PhaaS) platform has been identified spoofing over 100 brands to steal credentials, new research from Infoblox Threat Intel has found.
The threat actor behind these campaigns has been dubbed ‘Morphing Meerkat’. As part of its tactics, techniques and procedures (TTP), it employs DNS email exchange (MX) records to serve fake logging pages and steal credentials.
When a victim clicks on a phishing link, the phishing kit queries the MX record of the victim's email domain to determine their email service provider.
Based on the MX record, the phishing kit dynamically serves a fake login page that mimics the victim's real email service provider's login page.
In its research blog, Infoblox said that it has discovered that Morphing Meerkat has sent thousands of spam emails.
Infoblox explained that this novel DNS technique allows threat actors to customize content for victims using mail configurations that exist for other purposes. It is a DNS version of the technique referred to as “living off the land”, in which threat actors use elements of the existing environment to hide.
With the stolen credentials, cybercriminals can infiltrate corporate networks, steal sensitive data and even launch further attacks.
No tags.
