The cybercrime landscape is evolving fast—and becoming frighteningly accessible. In a recent episode of the Breaking Badness podcast, researchers dissected two rising threats: Morphing Meerkat, a phishing-as-a-service (PhaaS) platform leveraging DNS-over-HTTPS, and Proton66, a bulletproof hosting provider popular with low-skill cybercriminals.
Morphing Meerkat: Phishing for the Masses
Morphing Meerkat exemplifies the democratization of phishing. As Tim Helming of DomainTools explained, this platform lets almost anyone launch sophisticated attacks with minimal technical skills. Here’s how it works:
- Spam Campaigns: Targets receive phishing emails with deceptive links.
- DoH-Based Detection: The platform uses DNS-over-HTTPS (DoH) to detect the victim’s mail provider via MX record lookups—while hiding this query from standard security tools.
- Tailored Phishing Pages: Victims see login screens mimicking their provider (e.g. Gmail, Outlook).
- Credential Harvesting: A fake “password retry” screen boosts the odds of getting accurate credentials.
- Exfiltration: Stolen logins are sent to attackers via email or Telegram bots.
Why it matters: DoH makes it harder for defenders to monitor DNS queries, weakening a critical line of defense in threat detection.
Proton66: A Safe Haven for Low-Skill Hackers
The episode also covered Proton66, a Russian-based bulletproof hosting provider that turns a blind eye to phishing, malware, and other illegal activities.
Unlike covert services, Proton66 openly hosts malicious infrastructure, offering amateur hackers a launchpad. DomainTools researcher Ian Campbell detailed how the group Coquette—also stylized as “ettte”—used Proton66 to distribute fake antivirus software called Cyber Secure Pro.
OPSEC mistakes exposed the operation:
- Directory listing was left enabled, revealing malware and backend scripts.
- Analytics tags connected the site to other malicious domains.
- Traces led to the Horrid group, a loose collective that nurtures novice cybercriminals into more capable threats.
Key Takeaways for Defenders
These cases highlight how cybercrime infrastructure is being streamlined for mass use. The bar to entry is lower—but the risk remains real. Experts offered key recommendations:
- Don’t underestimate low-skill actors. Many successful attacks come from amateur hackers using professional-grade tools.
- Monitor DNS traffic. Consider blocking or logging DNS-over-HTTPS to prevent stealthy lookups.
- Map infrastructure. Use tools to connect domains, analytics tags, and hosting footprints.
- Educate users. Phishing remains a critical threat vector; human error is still exploitable.
As Helming put it:
“This isn’t nation-state level tradecraft, but it’s still effective—and more people can do it now.”
Would you like a visual map or diagram showing the infrastructure links between Coquette, Proton66, and Morphing Meerkat?
News Source:domaintools,This article does not represent our position.
