Cyber Security News

Namecheap Emails Hacked To Send Phishing Email

The email account of domain registrar Namecheap was compromised which led to a flood of DHL and MetaMask phishing emails that sought to steal the victims’ personal information and cryptocurrency wallets.

Reports say the phishing attacks began at 4:30 PM ET and came from SendGrid, a company that Namecheap has previously utilized to send renewal notices and promotional emails.

Following complaints from customers on Twitter, Namecheap CEO Richard Kirkendall acknowledged that the account had been compromised and blocked email through SendGrid while they looked into the situation.

Namecheap Emails Hacked To Send Phishing Email

The phishing emails received appear as either MetaMask or DHL. The DHL phishing email poses as a bill for a delivery fee necessary to finish a package’s delivery. 

It is been noticed that the embedded links take users to a phishing page that tries to steal their personal data.

The MetaMask phishing email, which purports to be a necessary KYC (Know Your Customer) verification to avoid the wallet from being suspended, was sent to BleepingComputer.

MetaMask phishing email from Namecheap

“We are writing to inform you that in order to continue using our wallet service, it is important to obtain KYC (Know Your Customer) verification. KYC verification helps us to ensure that we are providing our services to legitimate customers,” a phishing email from MetaMask reads.

“By completing KYC verification, you will be able to securely store, withdraw, and transfer funds without any interruptions. It also helps us to protect you against financial fraud and other security threats.”

“We urge you to complete KYC verification as soon as possible to avoid suspension of your wallet.”

A promotional link from Namecheap (https://links[.] in this email takes users to a phishing page impersonating MetaMask. Notably, the user is prompted to enter their “Private key” or “Secret Recovery Phrase” on this page.

MetaMask phishing page

Threat actors can import the wallet to their own devices and take all the funds and assets once a user gives either the recovery phrase or the private key.

Thus, if you received a Namecheap phishing email tonight that purports to be from DHL or MetaMask, delete it right away and avoid clicking any links. 

In a statement made on Sunday night, Namecheap claimed that there had not been a breach of their systems, but rather that there had been a problem with an email system they use upstream.

“We have evidence that the upstream system we use for sending emails (third-party) is involved in the mailing of unsolicited emails to our clients. As a result, some unauthorized emails might have been received by you,” Namecheap

“We would like to assure you that Namecheap’s own systems were not breached, and your products, accounts, and personal information remain secure.”

Namecheap claims to have stopped all emails, including those used to provide two-factor authentication codes, verify trusted devices, and reset passwords and has started an investigation into the attack with their upstream provider. 

Reports say at 7:08 PM EST later that evening, services were resumed. The CEO of Namecheap earlier tweeted that they were utilizing SendGrid, which is also confirmed in the mail headers of the phishing emails. Namecheap did not specify the name of this upstream system, but the CEO did mention that it was SendGrid.

“Twilio SendGrid takes fraud and abuse very seriously and invests heavily in technology and people focused on combating fraudulent and illegal communications. We are aware of the situation regarding the use of our platform to launch phishing emails and our fraud, compliance, and cyber security teams are engaged in the matter. This situation is not the result of a hack or compromise of Twilio’s network. We encourage all end users and entities to take a multi-pronged approach to combat phishing attacks, deploying security precautions such as two-factor authentication, IP access management, and using domain-based messaging. We are still investigating the situation and have no additional information to provide at this time.” According to Twilio Corp.

Network Security Checklist – Download Free E-Book

Guru baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

OmniVision Technologies Cyber Attack, Hackers Stolen Personal Data in Ransomware Attack

OmniVision Technologies, Inc. (OVT) recently disclosed a significant security breach that compromised its clients' personal data. The company, known for…

34 mins ago

Critical Flaw In Confluence Server Let Attackers Execute Arbitrary Code

The widely used team workspace corporate wiki Confluence has been discovered to have a critical remote code execution vulnerability. This…

3 hours ago

Threat Actors Leverage Bitbucket Artifacts to Breach AWS Accounts

In a recent investigation into Amazon Web Services (AWS) security breaches, Mandiant uncovered a troubling scenario: client-specific secrets were leaked…

3 hours ago

Hackers Breached Western Sydney University Microsoft 365 & Sharepoint Environments

Western Sydney University has informed approximately 7,500 individuals today of an unauthorized access incident involving its IT network. The breach,…

4 hours ago

Memcyco Report Reveals Only 6% Of Brands Can Protect Their Customers From Digital Impersonation Fraud

Memcyco Inc., provider of digital trust technology designed to protect companies and their customers from digital impersonation fraud, released its…

19 hours ago

DoppelGänger Attack: Malware Routed Via News Websites And Social Media

A Russian influence campaign, DoppelGänger, leverages fake news websites (typosquatted and independent) to spread disinformation, undermining support for Ukraine. Structura…

22 hours ago