Cyber security researchers have highlighted a new Fishing-e-Services (PHAAS) platform that takes advantage of the domain name system (DNS) mail exchange (MX) record, which applies 114 brands to serve fake login pages.
DNS Intelligence Firm Infoblox Phaas, Fishing Kit and Monicer are tracking the actor behind the relevant activity Morfing Markat,
The company said in a report shared with hacker news, “Danger behind the campaigns often exploits open redirects on Edtech infrastructure, compromises the domain for fishing distribution, and distributes the stolen circulation through several mechanisms including telegram.”
Such a campaign, which took advantage of the PHAAS toolkit, was documented by Forcepoint in July 2024, where the phishing email included links to an alleged shared document, when clicking, the recipient was hosted on Cloudflare R2, directed to direct a fake login page hosted on Cloudflare R2 and collect the credentials through telegram Was.
Morphing Meerkat estimates that thousands of spam emails have been distributed, which uses compromised WordPress websites with fishing messages and has opened upright weaknesses on advertising platforms such as Google -owned doubleclic to bypass safety filters.
It is capable of translating dynamic material text in more than a dozen different languages including English, Korean, Spanish, Russian, German, Chinese and Japanese to target users worldwide.
In addition to complicating code readability through obfuscation and inflation, the fishing landing pages include remedies for anti-analysis that use the mouse right-click as well as keyboard hot combination Ctrl + S (Save the web page as HTML), CTRL + U (Open the web page source code).
But the danger that makes the actor truly stands up is that the victim’s email service provider (eg, Gmail, Microsoft Outlook, or Yahoo!) To identify DNS MX record obtained from Claudflare or Google is used and dynamically serves fake login pages. In the event, that the fishing kit is unable to identify the MX record, it misses on a roundcube login page.
“This attack method is beneficial for bad actors because it enables them to carry out targeted attacks on victims by displaying them strongly related to their email service provider,” said Infoblox. ,
“The overall phishing experience seems natural because the design of the landing page is in line with the message of spam email. This technique helps the actor to submit his email credentials through the phishing web form.”
