Threat Research

Router maker’s support portal hacked, replies with MetaMask phishing

Securonix

Mercku’s Zendesk-based support portal appears to have been compromised, with newly submitted tickets triggering MetaMask phishing email replies. The attack chain uses obfuscated URLs that redirect through zpr.io to a suspended youcan.store page, aiming to harvest MetaMask credentials. #Mercku #MetaMask #Zendesk #zprio #youcanstore

Keypoints

  • BleepingComputer verified that Mercku’s Zendesk/portal auto-responds to support tickets with MetaMask phishing emails.
  • The phishing email title shown is “Metamask: Mandatory Metamask Account Update Required” and instructs users to update their MetaMask within 24 hours.
  • The phishing message suggests a security update and claims accounts will become inaccessible without the update.
  • The phishing link uses a userinfo-based URL structure (metamask.io:[email protected]/…) to mislead users into thinking they are visiting a legitimate MetaMask page.
  • The URL structure relies on RFC 3986 “userinfo” to create a semantic attack that masquerades as a trusted site.
  • Redirects chain from zpr.io to a hosting page on youcan.store, which was later found suspended, limiting further attack progress.
  • Mercku customers are advised to avoid the compromised portal and ignore communications originating from it.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Mercku’s Zendesk support portal was compromised to send phishing emails. ‘Support requests submitted to router manufacturer, Mercku are being auto-responded to with phishing emails.’
  • [T1566.002] Phishing – Automated reply emails instruct users to update their Metamask accounts within 24 hours. ‘update your Metamask account’ within the next 24 hours.
  • [T1036] Masquerading – The phishing URL abuses the userinfo component to mislead users into thinking they are visiting a legitimate domain. ‘Because the userinfo subcomponent is rarely used and appears before the host in the authority component, it can be used to construct a URI intended to mislead a human user by appearing to identify one (trusted) naming authority while actually identifying a different authority hidden behind the noise.’

Indicators of Compromise

  • [Domain] metamask.io, zpr.io, and youcan.store – Phishing chain domains referenced in the campaign
  • [URL] hxxps://metamask.io:login@zpr[.]io/x4hFSxCxEqcd, zpr[.]io/x4hFSxCxEqcd – Obfuscated/phishing URLs observed in the email

Read more: https://www.bleepingcomputer.com/news/security/router-makers-support-portal-hacked-replies-with-metamask-phishing/