The email account of domain registrar Namecheap was compromised which led to a flood of DHL and MetaMask phishing emails that sought to steal the victims’ personal information and cryptocurrency wallets.
Reports say the phishing attacks began at 4:30 PM ET and came from SendGrid, a company that Namecheap has previously utilized to send renewal notices and promotional emails.
Following complaints from customers on Twitter, Namecheap CEO Richard Kirkendall acknowledged that the account had been compromised and blocked email through SendGrid while they looked into the situation.
Namecheap Emails Hacked To Send Phishing Email
The phishing emails received appear as either MetaMask or DHL. The DHL phishing email poses as a bill for a delivery fee necessary to finish a package’s delivery.
It is been noticed that the embedded links take users to a phishing page that tries to steal their personal data.
The MetaMask phishing email, which purports to be a necessary KYC (Know Your Customer) verification to avoid the wallet from being suspended, was sent to BleepingComputer.
“We are writing to inform you that in order to continue using our wallet service, it is important to obtain KYC (Know Your Customer) verification. KYC verification helps us to ensure that we are providing our services to legitimate customers,” a phishing email from MetaMask reads.
“By completing KYC verification, you will be able to securely store, withdraw, and transfer funds without any interruptions. It also helps us to protect you against financial fraud and other security threats.”
“We urge you to complete KYC verification as soon as possible to avoid suspension of your wallet.”
A promotional link from Namecheap (https://links[.]namecheap.com/) in this email takes users to a phishing page impersonating MetaMask. Notably, the user is prompted to enter their “Private key” or “Secret Recovery Phrase” on this page.
Threat actors can import the wallet to their own devices and take all the funds and assets once a user gives either the recovery phrase or the private key.
Thus, if you received a Namecheap phishing email tonight that purports to be from DHL or MetaMask, delete it right away and avoid clicking any links.
In a statement made on Sunday night, Namecheap claimed that there had not been a breach of their systems, but rather that there had been a problem with an email system they use upstream.
“We have evidence that the upstream system we use for sending emails (third-party) is involved in the mailing of unsolicited emails to our clients. As a result, some unauthorized emails might have been received by you,” Namecheap
“We would like to assure you that Namecheap’s own systems were not breached, and your products, accounts, and personal information remain secure.”
Namecheap claims to have stopped all emails, including those used to provide two-factor authentication codes, verify trusted devices, and reset passwords and has started an investigation into the attack with their upstream provider.
Reports say at 7:08 PM EST later that evening, services were resumed. The CEO of Namecheap earlier tweeted that they were utilizing SendGrid, which is also confirmed in the mail headers of the phishing emails. Namecheap did not specify the name of this upstream system, but the CEO did mention that it was SendGrid.
