Meerkat Phishing: Fake login pages to trusted brands

There are always new forms of phishing attacks to add to your cybersecurity awareness programmes. They’re the thorn in the side of all internet users; but the emergence of phishing-as-a-service (PhaaS) is pushing the potential dangers of phishing to new levels. 

Recently, researchers have discovered a new Morphing Meerkat phishing kit that has been dynamically spoofing the login pages of more than 100 brands. The pages are highly effective, capable of deceiving people who have a solid understanding of the risks of phishing online. 

Why is Morphing Meerkat different?

It’s a comprehensive phishing service that enables threat actors to execute targeted attacks very easily. The kit leverages victims’ domain name system (DNS) and mail exchange (MX) records to identify their email service provider and serve a fake login page that looks like the real one. 

So the login pages don’t just look authentic – they’re also delivered in a way that feels legitimate to cyber-savvy internet users. 

The anatomy of a Meerkat attack 

Like many phishing attempts, a Morphing Meerkat attack starts with initial contact; the victim receives a phishing email which contains a link. 

When they click that link they’re taken through a series of redirects that exploit vulnerabilities in ad tech infrastructure or compromised domains – effectively evading detection. 

The phishing kit queries the MX records of the victim’s email domain, which allows it to identify the email service provider and deliver a customised fake login page. 

And then the victim, satisfied that everything looks legitimate, enters their credentials to login to the trusted site. That information is exfiltrated to the threat actors through channels including email, AJAZ requests, or PHP scripts. 

Morphing Meerkat then redirects the victim to the brand’s legitimate login page – so they just think they entered their credentials incorrectly, and they don’t realise anything nefarious has happened at all. 

It’s a sophisticated phishing platform 

Phishing is no new trick. But Morphing Meerkat stands out in a number of ways: 

• Dynamic content generation: By analysing MX records, the platform can dynamically generate highly convincing phishing pages that look like those of more than 100 brands (including Outlook, Gmail, and Yahoo).
• Multilingual capabilities: The phishing emails and spoofed pages can be translated into multiple languages – including English, Spanish, Russian, and Chinese; opening up a global pool of potential targets.
• Use of DNS over HTTPS (DoH): By employing DoH, Morphing Meerkat conceals its DNS queries within encrypted HTTPS traffic. This means it can evade detection by traditional security tools.
• Anti-analysis measures: The phishing pages leverage techniques to prevent or hinder analysis – such as disabling right-click functionality and keyboard shortcuts like Ctrl+S (save page) and Ctrl+U (view source). These measures complicate efforts by security researchers to dissect and understand the malicious code. ​

Cybersecurity awareness: Stay a step ahead 

Morphing Meerkat is an alarming example of how sophisticated and convincing phishing attacks can be. And as time goes on, advancements in phishing strategies will continue. 

Cybersecurity awareness programs must include education around hard-to-spot PhaaS attacks: 

• Be sceptical of all unsolicited emails. Always exercise caution when you don’t know the sender, especially if the email contains a link or attachment.
• Hover before you click. Hovering over a link allows you to preview the URL. Users should do this to see if the URL contains anything suspicious or doesn’t match the stated destination.
• Leverage email filtering tools. Advanced email security solutions can detect and block some phishing attempts – but it’s important not to assume they’ll block all malicious emails.

Most importantly, all organisations (and ideally all internet users) need to pay attention to developments in phishing tactics and commit to continuous cybersecurity learning. Malicious strategies are changing all the time, so the only way to stay safe is to stay curious: learn from new research about the latest threats, and understand the methods that might be deployed against you.

Join us at Black Hat MEA 2025 to share your perspective and meet potential partners – and shape the future together.