- The MORPHAGE phishing kit can travel more than 100 different brands
- It was used to send “thousands” of emails, warn the experts
- The defenses include adding a large DNS safety layer
Cybercriminals have created a new technique to serve phishing emails for professional users who are almost indistinguishable from legitimate messages.
Infoblox cybersecurity researchers have spotted the Phishing-as-A-Service (Phaas) kit, built by a double-sized threat actor Morphing Meerkat, which deploys DNS Mail Exchange (MX), dynamically serving false connection pages.
The technique allows them to usurp more than 100 different brands, making it a fairly powerful offer for cybercriminals.
Open redirection
“The Phaas platform of Morphing Meerkat and phishing kits are unique compared to the others, because they dynamically serve the PHISHING connection pages based on the DNS MX recording of the email domain of each victim,” said the researchers, saying that it allows attackers to display the “strongly linked” web content to the provider of the victim.
“The overall phishing experience seems natural because the design of the destination page is consistent with the message of spam email,” they added.
Morphing Meerkat has not yet drawn attention to itself, which might seem quite surprising since it has sent “thousands” of spam emails from servers mainly located in the United Kingdom and the United States.
However, the researchers said that the operation was “difficult” to detect on a large scale, because the attackers know where the blind spots are located and operate them via open redirects, DoH communication and popular file sharing services.
To protect themselves, organizations should add a strong DNS safety layer to their systems, concludes Infoblox, which includes the tightening of DNS controls and not allowing users to communicate with the DOH servers.
“If companies can reduce the number of unimportant services in their network, they can reduce their attack surface, giving few cybercriminals options for the delivery of threats,” concluded Infoblox.
