Morphing Meerkat leads sophisticated phishing operation

Cybersecurity researchers at Infoblox Threat Intel have identified a new and sophisticated cybercriminal operation dubbed "Morphing Meerkat," which delivers phishing campaigns through a Phishing-as-a-Service (PhaaS) model. The technique leverages Domain Name System (DNS) mail exchange (MX) records to present fake email login pages tailored to each victim's email provider.

Morphing Meerkat uses a phishing kit that queries the MX record of the target's email domain. By doing so, it dynamically determines the correct email service provider and serves a spoofed login page that closely resembles the authentic one. "This novel DNS technique allows the actor to customise content for victims using mail configurations that exist for other purposes," Infoblox explained in a statement. "It is a DNS version of the technique referred to as 'living off the land', in which threat actors use elements of the existing environment to hide."

The campaign has spoofed more than 100 brands worldwide, with login credentials harvested by the fake pages sent directly to cybercriminals. Once users enter their details, the platform redirects them to the legitimate login page after a few failed attempts, making the deception harder to detect.

The phishing kit also offers features aimed at widening its global impact and effectiveness. "The phishing kit can translate the fake login pages into multiple languages, targeting users worldwide," Infoblox noted. By tailoring each attack to the individual victim, Morphing Meerkat significantly increases the chance of success. "The use of MX records to dynamically serve tailored phishing pages makes the phishing attempts more convincing."

Infoblox also highlighted the broader implications for enterprises. "When cybercriminals get hold of login credentials through a phishing scam like Morphing Meerkat, the impact can be severe, especially for enterprises," the researchers said. "With these credentials, they can infiltrate corporate networks, steal sensitive data, and even launch further attacks. This can lead to significant financial losses, reputational damage, and legal liabilities for businesses."

Compromised accounts can also become launching points for wider campaigns. "Additionally, compromised accounts can be used to send phishing emails to other employees or clients, spreading the attack further and causing widespread disruption."

According to Infoblox, the Morphing Meerkat phishing kit employs multiple evasion strategies to avoid detection. These include using open redirects on advertising technology servers and obfuscating code to hinder analysis. The scalable design of the platform allows even less technically proficient cybercriminals to launch large-scale campaigns with minimal effort.

As cybercriminal techniques become increasingly advanced, the importance of proactive security measures becomes more urgent. "Visibility and monitoring are essential for effective enterprise security," the statement said. "Morphing Meerkat exemplifies how cybercriminals exploit security blind spots using advanced techniques like DNS cloaking and open redirects."

Infoblox recommended that organisations implement robust DNS security protocols to guard against such threats. "Organisations can protect themselves against these kinds of attacks by adding a strong layer of DNS security to their systems. This involves tightening DNS control so that users cannot communicate with DoH servers or blocking user access to adtech and file sharing infrastructure not critical to the business."

"Reducing the number of unimportant services in their network," they added, "gives fewer options to cybercriminals for threat delivery."