Close up on screen of website sign in buttongettyA sophisticated phishing operation known as Morphing Meerkat is putting internet users at serious risk. Discovered by cybersecurity researchers at Infoblox, this phishing-as-a-service platform has been quietly active since at least 2020.At first glance, Morphing Meerkat might appear to be just another spam campaign. But beneath the surface, it leverages cutting-edge tactics that make it far more dangerous and difficult to detectespecially for non-technical individuals.What sets this campaign apart is its use of DNS-over-HTTPS. This technology allows it to bypass traditional DNS filters and monitoring tools, making it harder for security software to identify the threat. The phishing toolkit also performs live lookups of Mail Exchange records, which tell it what email provider the victim uses. With that information, the platform dynamically generates a login page that looks exactly like what the victim expectswhether it is Gmail, Yahoo, Outlook, or over 110 other commonly used services.How The Attack WorksAnd Why It Is So EffectiveMorphing Meerkat is a phishing kit designed for scalability, stealth, and ease of useeven for cybercriminals with little technical skill. The actual attack typically begins with a highly convincing email. These messages are crafted to look legitimate and are translated into multiple languages, including English, Spanish, Russian, and Chinese. They often appear to come from widely recognized brands and carry urgent subject lines like Action Required: Account Deactivation, designed to trigger a quick, emotional reaction.When a user clicks on the link inside the email, they are taken through a maze of redirectsoften via ad networks, compromised WordPress sites, or free hosting platforms. This redirect chain helps the attackers obscure their tracks and bypass browser security warnings.Eventually, the user lands on a fake login page. At this point, the phishing kit quietly queries the victims email domain using DNS-over-HTTPS to identify which email provider they use. Once identified, the kit dynamically loads a counterfeit login page tailored to that provider, often with the victims email address already filled in. The design is nearly indistinguishable from the real thing.If the user enters their password, the credentials are transmitted to the attackerssometimes even forwarded in real time using tools like Telegram bots. In some cases, the user is prompted to re-enter their password with an error message such as Invalid Password! Please enter email correct password, which helps confirm that the stolen information is accurate.To complete the deception and avoid raising alarms, the user is then redirected to the legitimate login page of their email provider. From their perspective, it simply appears that the login failed the first time, and they continue on as usualunaware that their credentials have already been compromised.8 Smart Ways Users Can Avoid Getting PhishedDespite the increasing complexity of phishing attacks, there are practical and effective steps that consumers can take to protect their digital lives:1. Do Not RushPause Before You ClickBe suspicious of emails that pressure you to act quickly.If you are unsure, visit the website directly instead of clicking a link in an email.2. Use Multi-Factor AuthenticationAlways enable MFA on your email, social media, and banking accounts. Even if your password is stolen, MFA can stop attackers from logging in.3. Install A Password ManagerPassword managers prevent you from entering your login credentials on fake websites. They will only autofill your credentials on legitimate domains.4. Keep Software And Devices UpdatedRegular updates patch security vulnerabilities that attackers exploit. Enable automatic updates for your operating system, browser, and antivirus software.5. Use A Trusted DNS Provider With FilteringServices like Cloudflare (1.1.1.1 for Families), OpenDNS, or NextDNS provide DNS-level protection and may block known phishing sites.6. Block DoH On Your Router (If Possible)Some advanced home routers allow you to block encrypted DNS traffic (DoH), which prevents attackers from hiding their phishing domains from your network.7. Check URLs CarefullyPhishing sites often use lookalike URLs. Make sure you are visiting the correct domain (e.g., https://accounts.google.com for Gmail).8. Use Anti-Phishing Browser ExtensionsExtensions like uBlock Origin or DuckDuckGo Privacy Essentials can block suspicious scripts and trackers often used in phishing campaigns.