Prominent Canadian router manufacturer Mercku’s HelpDesk portal has been compromised by threat actors, resulting in MetaMask phishing emails sent to users in response to newly filed support tickets.
This beach has significant implications for Mercku’s customers and partners. Mercku supplies equipment to various Internet Service Providers (ISPs) across Canada and Europe.
First reported by BleepingComputer, users submitting support requests through Mercku’s Zendesk portal are receiving phishing emails instead of legitimate acknowledgement.
The phishing emails, titled ‘Metamask: Mandatory Metamask Account Update Required,’ urge recipients to update their MetaMask accounts within 24 hours to avoid losing access.
MetaMack is a popular cryptocurrency wallet that leverages the Ethereum blockchain. Due to its widespread use, it is a frequent target for phishing and crypto scams.
The embedded link in the phishing emails employs sophisticated URL obfuscation techniques to mislead recipients. The embedded link appears to direct users to the legitimate MetaMask website but instead leads to a phishing website.
The URL structure used, such as ‘hxxps://metamask.io@zpr[.]io/x4hFSxCxEqcd,’ exploits the ‘userinfo’ part of the URL schema defined by the IETF’s specifications. This technique creates the illusion of a legitimate URL, thereby deceiving users into thinking they are connecting to a trusted site. This attack method is known as a ‘semantic attack’ and is a primary weapon in phishing campaigns.
Researchers also note that phishing attacks leverage a URL shortener service (zpr[.]io), redirecting users to a malicious site.
Fortunately, as BleepingComputer found, the hosting account for this domain has been suspended, temporarily thwarting further attacks. However, the initial compromise remains a significant concern.
Researchers have notified Mercku of the breach, and the investigation is ongoing. The company has yet to release a statement on how the compromise occurred or what measures are being taken to rectify the situation.
Due to increased internet usage, phishing campaigns have gained traction, especially in developing and less developed countries. The lack of cybersecurity knowledge and end-point security measures have only compounded the problem.
A few weeks ago, it was reported that cybercriminals are exploiting the popularity of the Paris Olympics to lure users via several phishing websites. Also, they are targeting job seekers via a Windows backdoor, dubbed WarmCookie.
Researchers have urged users to avoid using Mercku’s support portal for now and to avoid clicking on any links. Users should also verify the authenticity of the URL before heading to the websites.
In the News: Four more WordPress plugins hit by supply chain attack
