At the core of Morphing Meerkat’s strategy is its use of DNS MX records to detect a victim’s email provider. The platform then serves a custom fake login page from over 100 spoofed brands, tailored to the user’s specific email service. These pages are dynamically delivered using Cloudflare DoH or Google Public DNS, drastically increasing the success rate of credential theft.
Researchers have also uncovered that spam distribution originates from a centralized server network, mostly hosted in the UK and US. The campaign leverages open redirect flaws in trusted ad platforms like DoubleClick and compromised WordPress sites to bypass email security filters.
Since its early days targeting Gmail and Outlook, the platform has rapidly expanded. As of mid-2023, it supports over 114 brand designs and translations in multiple languages, including Chinese, Russian, and Spanish.
Credential harvesting is executed via EmailJS, PHP scripts, AJAX, and even Telegram bot APIs. Anti-analysis measures like keyboard and right-click blocking, code obfuscation, and cloaking techniques make detection difficult, even for seasoned researchers.
Organizations are urged to bolster DNS protections, monitor encrypted DNS traffic, and restrict access to unnecessary services to defend against this evolving threat.
Source: HackRead
The European Cyber Intelligence Forum is a nonprofit think tank specializing in intelligence and cybersecurity, offering consultancy services to government entities. To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net, or you can try yourself using check.website.