Morphing Meerkat leads sophisticated phishing operation

Tue, 1st Apr 2025

Infoblox Threat Intel has identified a new cybercriminal operation dubbed Phishing-as-a-Service (PhaaS), led by an actor known as Morphing Meerkat.

The Morphing Meerkat operation makes use of Domain Name System (DNS) mail exchange (MX) records to deceive victims into entering their login credentials on fraudulent email login pages. These malicious pages mimic the genuine login interfaces of victims' email service providers, allowing cybercriminals to capture sensitive information.

Once login credentials are captured, they are transmitted to the responsible criminals. The implications for organisations are considerable, as compromised credentials can facilitate network infiltration, data theft, and the potential for additional cyberattacks, leading to financial losses, damaged reputations, and possible legal repercussions.

Morphing Meerkat is reported to spoof over 100 different brands, significantly broadening the scope of potential targets. By leveraging MX records, the phishing operation is able to generate tailored, realistic login pages based on the intended victim's email service provider. This adaptability is seen as a sophisticated use of existing DNS structures to carry out their deceptive practices.

Infoblox Threat Intel's discovery outlines how the phishing kit operates by dynamically querying the MX record of a target's email domain. The savvy use of this information results in the presentation of a convincing fake login page, optimised to deceive the user into entering sensitive details. Moreover, after initial unsuccessful login attempts, users are often redirected to their genuine email provider's login page, reducing suspicion regarding the phishing activity.

The operation's global reach is enhanced by the capability to present these fake login interfaces in multiple languages, allowing the phishing attempts to reach users across various regions effectively. Additionally, the platform's evasion techniques, such as code obfuscation and the use of open redirects on adtech servers, allow it to bypass traditional security measures, escalating the threat level.

The PhaaS model employed by Morphing Meerkat is noted particularly for its scalability, enabling even those with minimal technical expertise to execute extensive phishing campaigns. This scalability poses a formidable challenge to enterprises as the barrier to entry for cybercriminals is lowered significantly.

Organisations are advised to bolster their security protocols to counteract such sophisticated threats. Karen McMillan, Chief Information Security Officer, remarked, "Visibility and monitoring are essential for effective enterprise security. Morphing Meerkat exemplifies how cybercriminals exploit security blind spots using advanced techniques like DNS cloaking and open redirects. Organisations can protect themselves against these kinds of attacks by adding a strong layer of DNS security to their systems."

She further recommended, "This involves tightening DNS control so that users cannot communicate with DoH servers or blocking user access to adtech and file sharing infrastructure not critical to the business. If companies can reduce the number of unimportant services in their network, they can reduce their attack surface, giving fewer options to cybercriminals for threat delivery."

Share on: