With over 100 brands spoofed and thousands of phishing emails sent, the Morphing Meerkat PhaaS platform represents a seismic shift in cybercriminal efficiency, leveraging DNS MX records to bypass traditional defenses.
Infoblox reports that the Morphing Meerkat actor has sent thousands of phishing emails, posing a serious threat to global businesses. The scale and sophistication of these attacks demand immediate attention.
Key Takeaways
- The ‘Morphing Meerkat’ phishing kit recently spoofed more than 100 brands.
- The threat actors sent over a thousand spam emails, signaling the global scale of the attack.
- It is likely to result in data theft, business disruptions, and reputational damage.
- You can protect yourself against this threat with proper email authentication.
What is the Morphing Meerkat Phishing Kit?
A Morphing Meerkat phishing kit refers to the set of tools that allow threat actors to create websites that look legitimate, but are fraudulent in actuality. They aim to trick users into disclosing sensitive information to steal data or money. Phishing kits include HTML and PHP code that even beginner hackers can create and use to conduct phishing attacks. They require minimal technical skills to operate.
These kits encompass pre-designed email templates and illegitimate and deceptive login pages. Additional elements coerce users into surrendering passwords or payment details.
The ‘Morphing Meerkat’ phishing kit makes use of MX records to spoof brands and access credentials. As Infoblox Threat Intel notes, “this attack method is advantageous to bad actors.” This is because it displays web content related to their email service provider. This enables targeted attacks by aligning phishing pages with victims’ email providers.
The phishing process appears legitimate because the landing page’s design is consistent with the spam email’s message. This technique helps the actor trick the victim into submitting their email credentials via the phishing web form.”
How Morphing Meerkat Phishing Attacks Work
In this attack, the threat actors customize content with the help of pre-existing email configurations. The hackers steal the credentials and thereby manage to infiltrate corporate networks. This provides them with access to sensitive business data (e.g., credit card information, secret communications, etc.).
This toolkit leverages DNS MX records to craft fake login pages. It then uses these to access and steal credentials. More specifically, it first needs the target victim to click on the unsafe phishing link. The phishing kit then queries the victim’s email domain’s MX record. This step allows them to determine the email service provider. The kit serves a counterfeit login page mimicking the victim’s email provider.
Every Morphing Meerkat attack has email user login credentials as its target. This was, in fact, the initial point of interest, and while the attack has evolved, the target has remained the same.
The phishing messages often make use of compromised WordPress websites. They also leverage open redirect vulnerabilities on different advertising platforms, including Google-owned DoubleClick. This helps them easily and effectively bypass security filters.
Impact on Organizations
Here are some ways this toolkit may impact organizations.
Constant Attack Evolutions
This phishing kit evolves constantly, becoming more dangerous for organizations. The first detected Morphing Meerkat campaigns were identified in 2020. Back then, however, the attack wasn’t perceived as so dangerous. The initial version could only serve phishing web templates disguised as Gmail, Outlook, AOL, Office 365, and Yahoo. No translation option was available. The kit was only able to display English phishing templates.
Today, however, it covers over 114 brand designs. Already in July 2023, the kits were able to load phishing pages according to the accessed DNS MX records. Threat actors now deploy multilingual phishing pages. The supported languages include Spanish, Russian, English, Chinese, Japanese, Korean, German, etc.
Difficult to Detect and Tackle
Compared to many other traditional threats, this toolkit leverages many security evasion features. For example, its threat actors often make use of open redirects on adtech servers. They can also obfuscate code to hinder analysis. Moreover, besides obfuscation, the phishing landing pages also make use of anti-analysis measures.
These help forbid the use of the mouse right-click or Ctrl + S and Ctrl + U—among other keyboard shortcuts—to hinder analysis. Ctrl+S saves the page, while Ctrl+U displays its source code. All these steps help hinder analysis and succeed in the attack.
Gateway to Data Theft
When email credentials get stolen, the hackers may use these to infiltrate corporate networks. This gives them a gateway to data that they’d otherwise not have access to. Whether it’s personal information, business secrets, or financial details, the effects of data theft may be detrimental.
Potential Reputational Damage
Once the threat actors have the credentials, they may distribute them through channels like Telegram. Thus, the attack might lead not only to data theft but also to an illegal distribution of sensitive data across various channels. This may lead to significant reputational damage and loss of customer trust.
Operational Disruptions
This toolkit can target entire organizations at the same time. This means it can disrupt workflows at the level of not just a single business but dozens. Besides operational disruptions, this may also bring significant global financial losses.
Morphing Meerkat Phishing Detection & Mitigation Strategies
The threat actors behind this phishing attack have a smart mechanism for not getting caught. In case of failed login attempts, the kits redirect the target victim to the actual legitimate login page of their email service provider. While it’s quite hard to detect and mitigate this type of attack, there are still some steps you can take.
1. Email Authentication Protocols
Legerage email authentication and make use of SPF, DKIM, and DMARC protocols. They will help you authenticate your emails and reduce the likelihood of successful spoofing attempts. DMARC, DKIM, and SPF work together to ensure that only authorized, legitimate senders can send emails on behalf of your domain. This makes impersonation much harder for hackers, regardless of their technical expertise.
2. AI-powered Threat Detection
You can also make use of AI-powered solutions to detect phishing attempts well before they lead to data theft. These tools can detect and examine patterns to provide you with necessary insights into your email activity.
PowerDMARC’s AI-driven DMARC threat intelligence provides real-time insight into spoofing and phishing attempts. It gives you alertness and visibility into which IP address was responsible for the spoofing attempt.
3. DNS Filtering and Monitoring
Try leveraging DNS filtering to block communication with suspicious domains and DoH providers. These include Cloudflare and Google. These are often used by Morphing Meerkat to generate phishing pages based on MX records. Besides DNS filtering, you should also check your DNS traffic for abnormal, unusual, or suspicious queries.
4. Multi-Factor Authentication (MFA)
Requiring MFA across all critical accounts can help you add one more layer of security. Attackers can’t access your account without the second authentication factor. This is true even when they have access to your credentials.
Final Words
The Morphing Meerkat phishing kit presents serious risks for businesses worldwide. Its techniques and strategies are evolving and getting better and smarter. So do their potential consequences. As a result, your business might suffer significant data loss and operational disruptions. It might also experience financial damages and a bad reputation.
Yet, the good news is that you can detect and prevent them. MFA, DNS filtering, and AI-powered threat detection can all help you prepare for the digital battle. Email authentication protocols can also protect your email communications and enhance your security.
To stay ahead of evolving threats like Morphing Meerkat, schedule a security audit with PowerDMARC today!
- Morphing Meerkat Phishing Kit: A Deep Dive into Its Threats & Tactics - April 22, 2025
- Gmail End-to-End Email Encryption Explained: A Guide for Enterprise Users - April 9, 2025
- Best Email Deliverability Tools - April 7, 2025