Researchers studying cybersecurity have discovered a new phishing-as-a-service ( PhaaS ) platform that uses the Domain Name System ( ) mail exchange ( ) records to offer fake login pages that impersonate about 114 brands.
Infoblox, a DNS intelligence agency, is looking into the person responsible for the PhaaS, the spoofing system, and related activity that goes by the moniker Morphing Meerkat.
The risk professional behind the campaigns frequently “exploits available redirects on adtech system, compromises domains for hacking supply, and distributes stolen credentials through various mechanisms, including Telegram,” according to the company in a shared with The Hacker News.
In a phishing email that contained links to a purported shared record that, when clicked, sent the victim to a fake login site hosted on with the aim of collecting and enforcing the credentials via Telegram, one for battle was by Forcepoint in July 2024.
Morphing Meerkat is said to have sent hundreds of spam emails, using hacking emails to bypass security filters on advertising programs like Google-owned DoubleClick and compromised WordPress sites.
Additionally, it has the ability to automatically translate phishing content into more than a hundred different languages, including English, Korean, Spanish, Russian, German, Chinese, and Chinese, to target users all over the world.
The phishing landing pages include anti-analysis measures that prohibit the use of mouse right-click and keyboard hotkey combinations Ctrl + S ( save the web page as HTML), Ctrl + U ( open the web page source code), and obfuscation and inflation, among other things.
However, what distinguishes the threat actor truly stands out is its use of DNS MX records from Google or Cloudflare to identify the victim’s email service provider ( such as Gmail, Microsoft Outlook, or Yahoo! ) and automatically display false registration pages. In the event that the spoofing system is unable to understand the MX report, it will default to a password page.
According to Infoblox,” This attack strategy is effective to poor actors because it enables them to target victims by displaying web content that is closely related to their email service provider.”
Because the landing page’s design is in line with the spam email’s message, the entire phishing experience feels natural. This tactic helps the comedian deceive the victim into entering their email addresses using a hacking website.