Domain registrar Namecheap’s email was hacked last weekend and the company sent a flurry of phishing emails (allegedly from MetaMask and DHL) to users. In this way, hackers tried to steal recipients’ personal information and cryptocurrency from their wallets.
Let me remind you that we also wrote about IceBreaker Backdoor Emerged, Exploiting New Phishing Way, and also, you might be interested to know Why Phishing is Still the Most Common Cyber Attack?
The media also indicated that Meta sues operators of 39,000 phishing sites.
The phishing emails originated from SendGrid, an email platform historically used by Namecheap to send notifications and marketing emails.
After recipients of strange emails started complaining about the incident on Twitter, Namecheap CEO Richard Kirkendall confirmed that the company’s account had been compromised, and now an option of sending mail via SendGrid was urgently disabled while the investigation was underway. However, this tweet was later deleted.
Kirkendall also wrote that, according to Namecheap experts, this attack could be related to a recent CloudSek report, where researchers warned about exposing Mailgun, MailChimp and SendGrid API keys in mobile applications.
Phishing emails sent by hackers as part of this campaign were disguised as notifications from DHL or MetaMask. For example, emails from fake DHL allegedly contained shipping invoices that had to be paid to complete the delivery of the package. In fact, the links embedded in these messages led to a phishing page where they tried to steal data from the victims.
In turn, the fake letter from MetaMask imitated a request for a KYC (Know Your Customer) check, otherwise the wallet would allegedly be suspended.
These emails contained a Namecheap (https://links.namecheap.com/) marketing link that redirected victims to a phishing page posing as the MetaMask website. On this page, the user was prompted to enter their seed phrase or private key.
Later, Namecheap representatives released an official statement, according to which the company’s systems were not hacked, and the problem was related to an unnamed third-party system that the registrar used to work with mail.
Although Namecheap did not say which upstream system they were talking about, the company’s CEO himself confirmed on Twitter that the company uses SendGrid to work with mail (this was also confirmed by the headers of the phishing emails).
Interestingly, at the same time, the developers of Twilio SendGrid assured Bleeping Computer journalists that this incident had nothing to do with hacking or compromising their systems.