FlagThis - #phaas

The Haozi Phishing-as-a-Service (PhaaS) platform has resurfaced, marking a concerning development in the cybercrime landscape. This Chinese-language operation distinguishes itself with its ease of use, comprehensive customer support, and a cartoon mouse mascot, lowering the barrier to entry for aspiring cybercriminals. Haozi provides a "plug-and-play" system, transforming complex phishing campaigns into point-and-click operations accessible to those with minimal technical expertise. The platform boasts a fully automated, web-based control panel, enabling users to manage multiple phishing campaigns, filter traffic, view stolen credentials, and fine-tune attack behavior.

Haozi's business model resembles legitimate software companies, offering a subscription plan and a-la-carte sales. Transactions are conducted using Tether (USDT), with the associated wallet having processed over $280,000 to date. The platform also monetizes the broader attack ecosystem by selling advertising space that connects buyers to third-party services such as SMS gateways. This allows Haozi to act as a middleman, generating revenue not only from phishing kits but also from ancillary services. According to reports, the Haozi platform immediately gained nearly 2,000 followers on Telegram after its initial community on the encrypted messaging app was dismantled.

What sets Haozi apart is its fully automated installation process. Attackers simply input their server credentials into a hosted installation page, and the system automatically deploys a phishing site and admin dashboard, eliminating the need for command-line setup or server configuration. The kits themselves simulate real user experiences, with phishing templates mimicking bank verification and credit card prompts with response logic. For example, after capturing credit card details, the operator may decide to request a 2FA code based on the response received from a card transaction attempt. The resurgence of Haozi highlights the escalating threat presented by PhaaS networks and underscores the need for intensified cybersecurity training programs.


References :

• cyberpress.org: Haozi’s Plug-and-Play Phishing Attack Nets Over $280,000 from Victims
• securityonline.info: Haozi Returns: The Phishing-as-a-Service Platform Making Cybercrime Easy
• gbhackers.com: Haozi’s Plug-and-Play Phishing Attack Steals Over $280,000 From Users
• www.scworld.com: Activity of Haozi phishing service surging, report finds

Classification:

• HashTags: #Phishing #Cybercrime #Haozi
• Company: Haozi
• Target: Users
• Attacker: Netcraft
• Product: Haozi
• Feature: PhaaS
• Type: Hack
• Severity: Medium

A new sophisticated Phishing-as-a-Service (PhaaS) platform, dubbed "Morphing Meerkat," is exploiting DNS MX records to dynamically deliver tailored phishing pages, targeting over 100 brands. This operation enables both technical and non-technical cybercriminals to launch targeted attacks, bypassing security systems through the exploitation of open redirects on adtech servers and compromised WordPress websites. The platform's primary attack vector involves mass spam delivery and dynamic content tailoring, evading traditional security measures.

Researchers have discovered that Morphing Meerkat queries DNS MX records using Cloudflare DoH or Google Public DNS to customize fake login pages based on the victim's email service provider. This technique allows the platform to map these records to corresponding phishing HTML files, featuring over 114 unique brand designs. This personalized phishing experience significantly increases the likelihood of successful credential theft. The phishing kit also uses code obfuscation and anti-analysis measures to hinder detection, supporting over a dozen languages to target users globally.


References :

• The Hacker News: Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
• : Morphing Meerkat PhaaS Platform Spoofs 100+ Brands
• www.scworld.com: More than 100 brands' login pages have been spoofed by the newly emergent Morphing Meerkat phishing-as-a-service platform through the exploitation of Domain Name System mail exchange records, The Hacker News reports.
• Cyber Security News: Hackers Use DNS MX Records to Generate Fake Login Pages for Over 100+ Brands
• The DefendOps Diaries: Morphing Meerkat: A Sophisticated Phishing-as-a-Service Threat
• www.techradar.com: This new phishing campaign can tailor its messages to target you with your favorite businesses
• Christoffer S.: Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks
• hackread.com: Details advanced phishing operation exploiting DNS vulnerabilities.
• Infoblox Blog: Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims.
• www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
• Cyber Security News: A sophisticated phishing operation has emerged that creatively leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims' email providers.
• gbhackers.com: The platform, which has been operational since at least January 2020, employs a range of advanced techniques to evade detection and target users globally.
• securityaffairs.com: A PhaaS platform, dubbed 'Morphing Meerkat,' uses DNS MX records to spoof over 100 brands and steal credentials, according to Infoblox Threat Intel
• www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
• Blog: Cybersecurity researchers are tracking a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that employs DNS over HTTPS (DoH) to avoid detection.
• : Phishing kits going to great lengths to personalise attacks
• Malwarebytes: Infoblox researchers discovered a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that generates multiple phishing kits and spoofs login pages of over 100 brands using DNS mail exchange (MX) records.
• securityaffairs.com: Morphing Meerkat phishing kits exploit DNS MX records
• bsky.app: A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection.
• Talkback Resources: Morphing Meerkat phishing kits exploit DNS MX records
• Security Risk Advisors: 🚩Morphing Meerkat’s Phishing-as-a-Service Leverages DNS MX Records for Targeted Attacks
• Talkback Resources: New Morphing Meerkat PhaaS platform examined
• Virus Bulletin: An Infoblox report looks into a DNS technique used to tailor content to victims. A phishing kit developed by the Morphing Meerkat actor creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored login pages, spoofing over 100 brands.
• : Phishing-as-a-Service Exposed: DNS-over-HTTPS Fuels the Morphing Meerkat Attack
• Virus Bulletin: An Infoblox report looks into a DNS technique used to tailor content to victims. A phishing kit developed by the Morphing Meerkat actor creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored login pages, spoofing over 100 brands.

Classification:

• HashTags: #Phishing #DNS #Cybersecurity
• Company: Google
• Target: Individuals, Organizations
• Attacker: Cybercriminals
• Product: DNS
• Feature: DNS abuse
• Malware: Morphing Meerkat
• Type: Phishing
• Severity: Medium