Cyber Incident Victim: Mercku
Date:
Jun 2024
Location:
Canada
Summary
Mercku's support portal was compromised, automatically replying to user tickets with phishing emails disguised as MetaMask security updates. The messages contained deceptive URLs exploiting the 'userinfo' field to mimic legitimacy, redirecting to a fraudulent site via a shortened link. Although the attack targeted customers of various Canadian and European ISPs distributing Mercku's routers, the final phishing page was suspended, halting further exploitation. The incident highlights abuse of URL standards to mislead users into believing they accessed authentic services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2024, router manufacturer Mercku experienced a compromise of its Zendesk-based customer support portal, leading to automated phishing responses being sent to users submitting new support tickets. The Canadian company, which supplies networking equipment to ISPs including Start.ca, FibreStream, Innsys, RealNett, Orion Telekom, and Kelcom across Canada and Europe, had its system configured to immediately reply to ticket submissions with a fraudulent email titled "Metamask: Mandatory Metamask Account Update Required." This message falsely claimed MetaMask had enhanced its database and firewall security, requiring recipients to update their cryptocurrency wallet accounts within 24 hours to avoid access loss. The phishing email contained a malicious link structured as hxxps://metamask.io:login@zpr[.]io/x4hFSxCxEqcd, which abused the URI userinfo field to create a false appearance of legitimacy by placing "metamask.io" before the "@" symbol while actually directing users to the zpr.io URL shortener. BleepingComputer independently verified the compromise by submitting a test ticket and receiving the phishing response, confirming the automated nature of the attack.
The attack exploited RFC 3986 URI specifications to mislead recipients through semantic manipulation of the link structure, with the final destination matjercasa.youcan[.]store being rendered inactive due to its hosting account suspension at the time of analysis. Mercku's support portal compromise directly impacted customers and reseller partners across multiple countries where the company operates offices, including Canada, China, Germany, and Pakistan. The phishing campaign specifically targeted MetaMask users, leveraging the wallet service's popularity among cryptocurrency holders to increase click-through likelihood. While the suspended destination domain prevented further exploitation during BleepingComputer's investigation, the incident exposed Mercku's support infrastructure vulnerabilities and necessitated public warnings advising against portal use. Security researchers notified Mercku's support and press teams about the compromise, though no details regarding containment measures or root cause analysis were publicly available at the time of reporting.