Security systems are powerless against dynamically generated login pages.
Cybersecurity researchers have uncovered a new phishing service operating on a “Phishing-as-a-Service” (PhaaS) model that uses DNS mail server records (MX records) to substitute login pages for over a hundred well-known brands. The activity is attributed to a group known as Morphing Meerkat, which is being tracked by Infoblox.
The key feature of the platform is its ability to analyze MX records to determine which mail service the victim uses—whether it’s Gmail, Outlook, or Yahoo!. Depending on the result, a fake login page that closely mimics the original is dynamically loaded. If the mail provider cannot be determined, a default page styled after Roundcube is displayed.
Technically, the attack is highly convincing: a user receives an email containing a link to an allegedly shared document. Clicking the link directs the victim to a fake page hosted on Cloudflare R2, where they are prompted to enter their username and password. All entered credentials are sent directly to Telegram, which the attackers use as a channel for collecting information.
The distribution infrastructure involves compromised WordPress sites as well as open redirect vulnerabilities in advertising platforms, including Google’s DoubleClick. This approach helps bypass security filters and deliver the phishing email directly to the victim’s primary mailbox.
The phishing content is capable of automatically translating into over a dozen languages, including English, Spanish, Korean, Russian, German, Chinese, and Japanese. This allows the attacks to be easily adapted for different regions and target groups.
The developers employ anti-analysis measures—the page code is obfuscated and artificially inflated, and the interface blocks actions to save or view the HTML code via hotkeys. Right-click functions are also disabled, making it difficult to analyze the pages even at the browser level.
The first signs of Morphing Meerkat’s activity were recorded as early as July 2024, when Forcepoint documented a campaign in which emails with links to “documents” led to fake login pages masquerading as corporate portals. The total number of such phishing campaigns is estimated to be in the thousands.
Analysts note that the sophisticated interface design and visual consistency between the fake pages and the emails make the attack particularly effective. Users encounter a familiar interface and remain unaware that they are entering their credentials on a counterfeit page.
The PhaaS model enables other malicious actors to quickly launch similar attacks without needing deep technical knowledge. Thanks to automation and the exploitation of widespread vulnerabilities, Morphing Meerkat poses a serious threat to companies and individuals around the world.
Cybersecurity researchers have uncovered a new phishing service operating on a “Phishing-as-a-Service” (PhaaS) model that uses DNS mail server records (MX records) to substitute login pages for over a hundred well-known brands. The activity is attributed to a group known as Morphing Meerkat, which is being tracked by Infoblox.
The key feature of the platform is its ability to analyze MX records to determine which mail service the victim uses—whether it’s Gmail, Outlook, or Yahoo!. Depending on the result, a fake login page that closely mimics the original is dynamically loaded. If the mail provider cannot be determined, a default page styled after Roundcube is displayed.
Technically, the attack is highly convincing: a user receives an email containing a link to an allegedly shared document. Clicking the link directs the victim to a fake page hosted on Cloudflare R2, where they are prompted to enter their username and password. All entered credentials are sent directly to Telegram, which the attackers use as a channel for collecting information.
The distribution infrastructure involves compromised WordPress sites as well as open redirect vulnerabilities in advertising platforms, including Google’s DoubleClick. This approach helps bypass security filters and deliver the phishing email directly to the victim’s primary mailbox.
The phishing content is capable of automatically translating into over a dozen languages, including English, Spanish, Korean, Russian, German, Chinese, and Japanese. This allows the attacks to be easily adapted for different regions and target groups.
The developers employ anti-analysis measures—the page code is obfuscated and artificially inflated, and the interface blocks actions to save or view the HTML code via hotkeys. Right-click functions are also disabled, making it difficult to analyze the pages even at the browser level.
The first signs of Morphing Meerkat’s activity were recorded as early as July 2024, when Forcepoint documented a campaign in which emails with links to “documents” led to fake login pages masquerading as corporate portals. The total number of such phishing campaigns is estimated to be in the thousands.
Analysts note that the sophisticated interface design and visual consistency between the fake pages and the emails make the attack particularly effective. Users encounter a familiar interface and remain unaware that they are entering their credentials on a counterfeit page.
The PhaaS model enables other malicious actors to quickly launch similar attacks without needing deep technical knowledge. Thanks to automation and the exploitation of widespread vulnerabilities, Morphing Meerkat poses a serious threat to companies and individuals around the world.