123/68 Monday, March 31, 2025
Cybersecurity researchers have uncovered a new Phishing-as-a-Service (PhaaS) platform called Morphing Meerkat, capable of spoofing login pages for over 114 well-known brands. This tool dynamically generates fake login pages based on a target’s email provider, determined by querying DNS MX records—for example, Gmail, Outlook, or Yahoo—ensuring the phishing page matches the user’s actual email service. According to Infoblox, a DNS intelligence firm, the threat actors behind Morphing Meerkat leverage open redirect vulnerabilities in advertising platforms, hijack legitimate domains, and share stolen credentials through Telegram channels.
One campaign using Morphing Meerkat was observed by Forcepoint in July 2024, where phishing emails included links to fake documents. When clicked, victims were redirected to fake login pages hosted on Cloudflare R2, used to steal credentials. The platform also abuses compromised WordPress websites and open redirect flaws in platforms like Google’s DoubleClick to evade security systems. Notably, the phishing messages can be automatically translated into more than 12 languages, including English, Korean, Spanish, Russian, German, Chinese, and Japanese—allowing it to target users globally.
What sets Morphing Meerkat apart is its use of DNS MX records, obtained via Cloudflare or Google, to determine the victim’s email provider and serve a matching fake login page. If the provider cannot be identified, the platform defaults to a Roundcube login template. The service also includes anti-analysis features such as disabling right-click, preventing page saving, and blocking access to source code. These advanced tactics, along with the realistic appearance of phishing pages that mirror the initial phishing emails, make Morphing Meerkat a highly deceptive and effective tool for credential theft.
Source https://thehackernews.com/2025/03/new-morphing-meerkat-phishing-kit.html
