A Sunday night email hack at domain registrar Namecheap resulted in a deluge of DHL and MetaMask phishing emails that sought to steal the recipients’ personal information and bitcoin wallets. The phishing attacks began at 4:30 PM ET and came from SendGrid, a company that Namecheap has previously utilized to send renewal notices and promotional emails.
Following complaints from customers on Twitter, Namecheap CEO Richard Kirkendall acknowledged that the account had been compromised and blocked email through SendGrid while they looked into the situation. The compromise, according to Kirkendall, may be connected to a December CloudSek report that revealed that the API keys for Mailgun, MailChimp, and SendGrid were made public in mobile apps.
Numerous Phishing Emails Tries To Steal Personal Data
The phishing emails received as part of this effort pose as either MetaMask or DHL. The DHL phishing email poses as a bill for a delivery cost necessary to finish a package’s delivery. Although, information has it that the embedded links take users to a phishing page that tries to steal their personal data. The fake KYC (Know Your Customer) verification email from MetaMask, claims to be necessary to keep the wallet from being suspended.
“We’re writing to let you know that getting KYC (Know Your Customer) verification is necessary if you want to keep using our wallet service. Using KYC verification, we can be sure that we are only working with real clients, “reads the phishing email from MetaMask. “You will be able to withdraw, transfer, and store money securely after completing KYC verification. Additionally, it enables us to safeguard you against security risks like financial theft.”
“To prevent suspension of your wallet, we strongly advise you to complete KYC verification as soon as possible.” A promotional link from Namecheap (https://links.namecheap.com/) in this email takes users to a phishing page impersonating MetaMask. As seen below, the user is prompted to enter their “Private key” or “Secret Recovery Phrase” on this screen.
Threat actors can import the wallet to their own devices and take all the monies and assets once a user supplies either the recovery phrase or the private key. If you received a Namecheap phishing email tonight that purports to be from DHL or MetaMask, delete it right away and avoid clicking any links.
Namecheap Assigns Blame To Upstream System
In a statement published Sunday night, Namecheap claimed that the problem was with an upstream system they use for email rather than their own servers, which had not been compromised.
“We have proof that the upstream system (third party) we employ to send emails is responsible for distributing unwanted emails to our clients. As a result, you may have received certain emails that were not approved, “according to a statement made by Namecheap. We want to reassure you that Namecheap’s internal systems were not compromised and that your accounts, products, and personal information are still safe.
Namecheap claims that following the phishing incident, they stopped all emails, including those for two-factor authentication codes, trusted device verification, and password resets, and started an investigation with their upstream supplier. At 7:08 PM EST later that evening, services were resumed.
The CEO of Namecheap earlier stated that they were utilizing SendGrid, which is also confirmed in the mail headers of the phishing emails, despite the fact that Namecheap omitted to include the name of this upstream system.
Twilio SendGrid takes fraud and abuse very seriously and makes significant investments in technology and personnel devoted to preventing illegitimate and fraudulent communications. Our fraud, compliance and cyber security teams are working to address the issue of phishing emails being launched from our platform.
This issue is not the consequence of a hack or network attack on Twilio. We urge all end users and organizations to prevent phishing attempts in several ways by implementing security measures, including two-factor authentication, IP access management, and the usage of domain-based messaging. We don’t have any additional options at this time information to share because we are still looking into the matter. Twilio Inc. We also asked Namecheap about the situation earlier this evening but didn’t hear back.
Conclusion
The web hosting business Namecheap discovered that one of its third-party services had been abused to send some unwanted emails that specifically targeted users of MetaMask. Investors have been cautioned of continued phishing attempts by con artists seeking to contact users through Namecheap’s third-party upstream system for emails, according to popular cryptocurrency wallet provider MetaMask.
On the evening of February 12, the web hosting company Namecheap discovered one of their third-party services. It had been abused to send some unwanted emails that targeted users of MetaMask. Namecheap referred to the incident as an “email gateway issue.”
In the proactive alert, MetaMask informed its million followers that it does not gather Know Your Customer (KYC) information and never emails customers to inquire about their accounts. The hacker’s phishing emails contain a link that launches a phony MetaMask website and asks for a private recovery phrase “to keep your wallet secure.” The wallet provider cautioned investors to avoid disclosing seed phrases because doing so gives hackers complete control of the user’s assets.
