- Morphing Meerkat Phishing Kit can falsify more than 100 different brands
- It has been used to send “thousands” of emails, experts warn
- Defenses include adding a strong dns security layer
Cybercriminals have created a new technique to attend pHishing emails to commercial users who are almost indistinguishable from legitimate messages.
Cybersecurity researchers Informlox saw the Phishing As-A-Service (Phaas) kit, built by a threat actor called Morphing Meerkat, which implements records of DNS Mail Exchange (MX), which dynamically serves false login pages.
The technique allows them to falsify more than 100 different brands, so it is a fairly powerful offer for cybercriminals.
Open redirections
“The Phaas Morphing Meerkat platform and Phishing Kits are unique compared to others because they dynamically serve Phishing’s login web pages based on the DNS MX record of the email domain of each victim,” explained the researchers, saying that it allows the attackers to show “strongly related” web content with the email service provider of the victim.
“Phishing’s general experience feels natural because the design of the destination page is consistent with the spam email message,” they added.
Morphing Meerkat has not caught the attention of herself exactly, which may sound quite surprising given the fact that she sent “thousands” of electronic spam emails located mainly located in the United Kingdom and the United States.
However, the researchers said that the operation is “difficult” to detect at a scale, since the attackers know where the blind security points are, and have been exploiting them through open redirections in Adtech, DOH communication and popular files for file exchange.
To protect themselves, organizations must add a strong DNS security layer to their systems, concludes Informlox, which includes adjusting DNS controls and not allowing users to communicate with DOH servers.
“If companies can reduce the amount of unimportant services in their network, they can reduce their attack surface, giving few options to cybercriminals for the delivery of threats,” said Inflox.
