Namecheap’s announcement said their cloud-based “upstream system,” a SendGrid (Twillio) account, was leveraged to send out the emails and was the source of the phishing activity. This mail server — which Namecheap uses for marketing purposes — was likely compromised first by attackers. The emails then masqueraded as postal giant DHL and popular crypto wallet MetaMask to trick customers into entering information such as their secret recovery phrases or simply requested payment. Several Twitter users who were recipients of such emails spoke out early on Sunday and Monday, while DHL and crypto wallet firm MetaMask sent out warnings earlier on Monday. “I already alerted you on this on Thursday. Provided you with two example mails that day,” security researcher KnowsInt tweeted in response to Namecheap’s own tweet about the emails on Monday. The emails prompted customers to reach out to Namecheap, which soon blocked all of the email pathways, such as Trusted Devices’ verification, password reset emails, authorization codes, etc. The company noted that its own systems were not breached.
Email Phishing Campaign Impersonated DHL and MetaMask
In this campaign, the fake DHL email, laced with a malicious link, masqueraded as a parcel delivery failure notification requesting that Namecheap customers pay a delivery fee. “Attempts have been made to defraud Internet shoppers by the unauthorized use of the DHL name and brand via email communications and graphics which appear, on the surface, to have originated from DHL,” DHL said, adding that it never requests payment this way. The second phishing variation was an email from MetaMask, asking Namecheap customers to confirm their secret recovery phrase. Such a security code could serve as a master key that would give an attacker full control of a wallet. “MetaMask does not collect KYC [Know Your Customer] info and will never email you about your account,” MetaMask tweeted Monday. Kathy Zant, who works at a website building company, warned other users of email’s coming out of Namecheap’s SendGrid account after receiving the DHL phishing mail. “Looks like low-level hackers were able to get into their systems,” Zant tweeted. “PII [personally identifiable information] looks to be exposed.” Another Twitter user and designer, Lemo Gbenga, also received the DHL mail. “Time for #Namecheap to enhance their security measures,” he wrote on Sunday.
Namecheap CEO: Account Compromise Stemmed from API Key Leak
According to a Sunday tweet from Richard Kirkendall, CEO of Namecheap, the initial breach of SendGrid may have stemmed from a known API key leak vulnerability. With the AWS keys found in the bucket, it was possible to access several of SEGA Europe’s cloud services. Our main findings also noted that there were MailChimp and Steam keys there that allowed access to those services.
Security Recommendations
Combatting phishing attacks on your end as a user is all about not interacting with phishing emails, applying multifactor authentication to all of your accounts, and using a formidable antimalware solution. Phishing is an extremely common yet effective form of cybercrime. For instance, last Thursday, scammers posing as representatives of popular VPN company NordVPN attempted to get victims to download a malicious file under the guise of arranging a promotional deal. One surefire way to spot a phishing scam is if the sender’s email address does not match the name of the company (such as @dhl.com). Legitimate companies will not contact you from a Gmail or Yahoo account, particularly larger and well-known companies. Educate yourself on the dangers of malicious emails in our guide to phishing. We also recommend you check out a versatile antimalware solution such as Malwarebytes Premium to protect your devices in real-time from malicious web pages and malware you may accidentally download.
