Namecheap’s email account was breached on Sunday evening to be used for sending phishing emails to Namecheap customers – in an attempt to steal sensitive information.
The unknown threat actor used DHL and MetaMask themes for stealing the data – of customers’ cryptocurrency wallet keys and other important information. Namecheap disabled their compromised email account and said to be investigating the incident.
Exploiting Namecheap’s Email Account
Since yesterday, several Namecheap users have been complaining about receiving suspicious emails from the service asking for sensitive details – which was later confirmed to be a hacking incident – as Namecheap CEO Richard Kirkendall said in a tweet.
People noted the suspicious emails being sent through the SendGrid network – an email delivery service often used by Namecheap for sending transactional and marketing emails to its customers. Hackers who breached Namecheap’s email account used this to send phishing emails to its customers – asking for sensitive data.
Beware of phishing emails coming out of @Namecheap’s @SendGrid account. DHL, MetaMask, digitally signed with DKIM. Looks like low level hackers were able to get into their systems. PII looks to be exposed. pic.twitter.com/IuLE8mo2w6
— Kathy Zant (@kathyzant) February 12, 2023
Most reported seeing emails coming with either DHL or MetaMask themed – where the former is asking users to fill in important information on the name of a delivery fee for a package. If not this, some received MetaMask phishing emails asking for their cryptocurrency wallet private key.
This is fuelled by a pending KYC (Know Your Customer) verification to prevent their wallet from being suspended! The suspicious email contains a marketing link from Namecheap (https://links.namecheap.com/) that redirects the user to a phishing page pretending to be MetaMask. When arrives, it asks the user to enter their ‘Secret Recovery Phrase’ or ‘Private key’ to process the request.
Kirkendall said they believe the breach may be related to December’s CloudSek report – where the API keys of Mailgun, MailChimp, and SendGrid were exposed in mobile apps. But a request by BleepingComputer to Twilio (parent of SendGrid) denied this possibility – and affirmed that breach was not a result of any hack. Instead, they encouraged users to use multiple security methods like 2FA, IP address-based access, etc., to secure to be safe.