Meerkat Mayhem: Phishing-As-A-Service Unleashed

Morphing Meerkat spoofs over 100 brands and steals credentials

AUCKLAND, NEW ZEALAND – April 1, 2025 – Infoblox Threat Intel has uncovered a highly sophisticated Phishing-as-a-Service (PhaaS) platform that poses a significant threat to businesses globally.

The threat actor behind these campaigns, dubbed "Morphing Meerkat", creatively employs Domain Name System (DNS) mail exchange (MX) records to dynamically serve fake login pages, spoofing over 100 brands, and steal login credentials this way.

When a victim clicks on a phishing link, the phishing kit queries the MX record of the victim's email domain to determine their email service provider. Based on the MX record, the phishing kit dynamically serves a fake login page that mimics the victim's real email service provider's login page. This novel DNS technique allows the actor to customise content for victims using mail configurations that exist for other purposes. It is a DNS version of the technique referred to as “living off the land”, in which threat actors use elements of the existing environment to hide.

Morphing Meerkat is a sophisticated phishing kit that provides cyber criminals:

• Credential Theft: Once victims enter their login credentials on the fake page, Morphing Meerkat steals the credentials and sends them to the cybercriminals.
• Redirection: To avoid suspicion, the phishing kit often redirects the victim to the real login page of their email service provider after a couple of failed login attempts.
• Global Reach: The phishing kit can translate the fake login pages into multiple languages, targeting users worldwide.
• Individual bait: The use of MX records to dynamically serve tailored phishing pages makes the phishing attempts more convincing.
• Evasion Techniques: The platform employs various evasion techniques to bypass traditional security systems, such as using open redirects on adtech servers and obfuscating code to hinder analysis.
• Scalability: As a PhaaS platform, it allows even non-technical cybercriminals to launch large-scale phishing campaigns, making it a significant threat.

When cybercriminals get hold of login credentials through a phishing scam like Morphing Meerkat, the impact can be severe, especially for enterprises. With these credentials, they can infiltrate corporate networks, steal sensitive data, and even launch further attacks. This can lead to significant financial losses, reputational damage, and legal liabilities for businesses. Additionally, compromised accounts can be used to send phishing emails to other employees or clients, spreading the attack further and causing widespread disruption.

Visibility and monitoring are essential for effective enterprise security. Morphing Meerkat exemplifies how cybercriminals exploit security blind spots using advanced techniques like DNS cloaking and open redirects. Organisations can protect themselves against these kinds of attacks by adding a strong layer of DNS security to their systems. This involves tightening DNS control so that users cannot communicate with DoH servers or blocking user access to adtech and file sharing infrastructure not critical to the business. If companies can reduce the number of unimportant services in their network, they can reduce their attack surface, giving fewer options to cybercriminals for threat delivery.

Read the full blog here: https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/  

© Scoop Media