A dangerous new phishing platform that can mimic over 100 different brands has emerged as a major cybersecurity threat, according to research from Infoblox Threat Intel. The platform, operated by a threat actor nicknamed "Morphing Meerkat," uses advanced techniques to create highly convincing fake login pages tailored to each victim.
The platform leverages DNS email exchange (MX) records in an innovative way to customize phishing attacks. When users click on malicious links, the system checks their email domain's MX record and generates a fake login page that matches their actual email provider's design. This makes the phishing attempts extremely difficult to detect.
"The phishing experience feels natural because the landing page perfectly matches what users expect to see," noted researchers at Infoblox. The platform can now automatically translate content into over a dozen languages based on the victim's web profile.
Originally discovered in 2020, the platform has evolved substantially from its early versions which could only imitate five email brands. The current iteration employs sophisticated evasion tactics, including the use of adtech server redirects and code obfuscation to avoid detection.
After stealing login credentials, cybercriminals can potentially breach corporate networks and access sensitive data. To appear legitimate, the platform often redirects victims to their real email login page after failed attempts.
The operation has managed to stay under the radar despite sending thousands of spam emails, primarily from servers in the UK and United States. Security experts recommend that organizations strengthen their DNS security controls and limit access to non-essential services to reduce potential attack vectors.
This new threat highlights how cybercriminals continue to develop increasingly sophisticated methods to exploit security vulnerabilities, making it harder for both users and organizations to identify and prevent phishing attacks.