Summary: A newly identified phishing-as-a-service operation named Morphing Meerkat uses advanced techniques like DNS over HTTPS (DoH) to avoid detection and targets over 114 brands with dynamically generated phishing pages. Since its emergence in 2020, it has sent phishing emails from a centralized infrastructure, prompting victims to unwittingly enter their credentials. The sophisticated tactics include leveraging DNS MX records to personalize attacks, enhancing the effectiveness of the operation.
Affected: Various organizations and email service providers (e.g., Gmail, Outlook, Yahoo, DHL, Maersk, RakBank)
Keypoints :
- Uses DoH protocol to evade detection and perform DNS resolution via encrypted HTTPS requests.
- Impersonates over 114 brands with customized phishing emails to prompt urgent action.
- Employs real-time credential exfiltration methods, including AJAX requests and Telegram bot webhooks.
- Dynamic loading of fake login pages based on the victim’s email provider identified through MX records.
- Recommended defenses include tighter DNS control and blocking access to non-essential adtech and file-sharing services.