BleepingComputer reports that Canadian multinational wireless networking equipment manufacturer Mercku's helpdesk portal has been responding to newly filed support tickets with MetaMask phishing emails following an apparent cyberattack.
Submission of tickets via the portal is immediately followed by the delivery of an email with the subject "Metamask: Mandatory Metamask Account Update Required," which urges recipients to amend information on their MetaMask cryptocurrency wallet accounts within the next 24 hours to prevent losing account access. Included within the email is a phishing link containing "metamask.io" but redirects to a zpr[.]io service through the exploitation of the userinfo part of the URI scheme.
Another redirection to "hxxps://matjercasa.youcan[.]store" is conducted by the zpr[.]io service although intrusions have been averted following the suspension of the hosting account of the former, according to BleepingComputer.
Such a development should prompt organizations served by Mercku to avoid the firm's support portal, as well as emails from the portal.