Mercku’s support portal has been compromised, leading to MetaMask phishing emails being sent in response to support tickets. BleepingComputer has confirmed that users submitting tickets receive emails asking them to “update” their MetaMask account, which is actually a phishing attempt designed to steal account credentials. The phishing emails use a misleading URL structure to trick users into believing they are interacting with MetaMask’s legitimate site.
The emails, which claim a mandatory update is required to prevent account loss, contain a URL that appears to lead to MetaMask but actually directs users to a phishing site. This URL manipulation exploits the “userinfo” component of the URI scheme, creating a deceptive appearance of legitimacy. Clicking the link leads to further redirection through URL shorteners to a potentially harmful site.
Mercku, a router manufacturer with global operations, has been targeted by attackers using SEO poisoning to distribute these phishing emails. The company provides equipment to various ISPs and has offices in Canada, China, Germany, and Pakistan. Users should be cautious and avoid interacting with any communications from Mercku’s support portal.
Security researchers have identified and documented these phishing techniques, including the abuse of URL schemes to deceive users. The final destination of the phishing link was recently suspended, but users are advised to remain vigilant and avoid engaging with suspicious support communications from Mercku.
Reference:
