Phishing-as-a-service operation uses DNS-over-HTTPS for evasion

A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection. The platform also leverages DNS email exchange (MX) records to identify victims’ email providers and to dynamically serve spoofed login pages for more than 114 brands. Morphing Meerkat has been active since at least 2020 and it was discovered by security researchers at Infoblox. Although the activity has been partially documented, it went mostly under the radar for years. Large-scale phishing operation Morphing Meerkat is a PhaaS platform providing a complete toolkit for launching effective, scalable, and evasive phishing attacks that require minimal technical knowledge. It features a centralized SMTP infrastructure to distribute spam emails, with 50% of the traced emails originating from internet services provided by iomart (UK) and HostPapa (US). The operation can impersonate more than 114 email and service provi ... Read full article.