Mercku

Mercku, identified also by its alias, is a company whose headquarters are located in Canada. The firm’s primary business revolves around the design, manufacture, and distribution of routers that enable broadband connectivity for end‑users. These routers convert incoming optical or electrical signals from an Internet service provider’s network into Wi‑Fi or Ethernet signals usable by computers, smartphones, and other devices. Mercku’s products are not sold directly to consumers; instead, they are supplied to Internet service providers that operate in Canada and across several European countries, who then integrate the hardware into their own service offerings. By focusing on the ISP channel, Mercku positions itself as a provider of carrier‑grade networking equipment that emphasizes stability, ease of installation, and compatibility with a range of provider‑specific configurations. In addition to hardware, the company maintains an online support portal where customers can submit tickets, request firmware updates, and obtain troubleshooting assistance for the routers they have deployed. This portal serves as a critical touchpoint for both the ISPs that purchase the equipment and the end‑users who rely on the service for daily internet access.

On June 1, 2024, Mercku’s support portal experienced a security breach that allowed attackers to hijack its automated ticket‑reply system. The compromised system began sending out messages that appeared to be legitimate responses to user inquiries, but the content was actually a phishing lure crafted to resemble a security update from the MetaMask cryptocurrency wallet. Each phishing email contained a URL that abused the ‘userinfo’ sub‑component of the web address format, a technique that can make a link look trustworthy while actually pointing to a different host. The URLs were further shortened through a link‑shortening service, obscuring the true destination and increasing the likelihood that recipients would click without scrutiny. When followed, the links redirected users to a counterfeit website designed to harvest login credentials, seed phrases, or other sensitive information associated with MetaMask accounts. The campaign specifically targeted individuals who were customers of the Canadian and European ISPs that distribute Mercku’s routers, exploiting the trust relationship between those users and their service providers. Shortly after the malicious page was identified, it was taken down by the hosting provider, which halted any further credential‑theft attempts stemming from this particular incident. The episode illustrates how attackers can manipulate URL standards and trusted communication channels to deceive users, underscoring the necessity for organizations to secure automated response mechanisms, monitor for unauthorized outbound messages, and educate customers about verifying the authenticity of security‑related communications.