Posted on February 25, 2023 at 11:17 AM
Hackers exploit Namecheap email system to send phishing emails
Hackers have compromised the Namecheap email system. Threat actors have used this email system to send phishing emails to MetaMask and DHL customers. The hackers have been sending these emails to obtain access to these customers’ personal and crypto wallet information.
Hackers exploit Namecheap to send phishing emails
Hackers sent fake DHL delivery status notification emails requesting customers to pay delivery fees to ensure their parcels were not returned. The hackers also impersonated the MetaMask hot wallet, urging the victims to complete a Know Your Customer (KYC) verification process to ensure they maintained access to their crypto wallets.
The MetaMask phishing emails sent by the threat actors came with a malicious email that redirected the customers to a phishing website. The customers that accessed the victims were requested to share their “Secret recovery Phrase” or a “Private Key” that the hackers could use to compromise user wallets.
Namecheap had initially said that a third-party marketing email provider caused this hacking attack. It said that the provider had allowed threat actors to send legitimate emails and that these emails appeared to originate from Namecheap’s account.
“We have evidence that the upstream system we use for sending emails (third-party) is involved in the mailing of unsolicited emails to our clients. As a result, some unauthorized emails might have been received by you,” Namecheap said in a statement.
The CEO of Namecheap, Richard Kirkendall, also issued a statement saying that the company used the Twilio marketing email system, SendGrid. Kirkendall said that the company used SendGrid to communicate with its customers.
The Namecheap CEO had also alluded that the email breach on the company might have originated from leaks in Mailchimp, SendGrid, and Mailgun API that affected more than 54 million users. These leaked keys might have allowed the hackers to send phishing emails, delete the API keys and manipulate a two-factor authentication (2FA).
The lead awareness advocate at KnowBe4, Javvad Malik, commented on this development: “Gaining access to a legitimate email account to send out phishing emails is a goldmine for criminals. In the past, we’ve seen the likes of Mailchimp being breached and used to send out phishing emails.”
Malik has also said that sending malicious emails originating from legitimate sources allowed the threat actors to access the victims’ inboxes because they were whitelisted to avoid the gateway filters.
The phishing emails included SendGrid headers, but Twilio has denied that it was the source of the Namecheap email hack. Instead, the company said customers needed a “multi-prong approach” to protect their accounts and ensure they do not fall victim to phishing campaigns. This includes sending a two-factor authentication, using IP access management and domain-based messaging.
Namecheap has deactivated all the SendGrid emails, including the code delivery, two-factor authentication, device verification, and any password reset requests. It has also deactivated the phishing link contained within the phishing emails.
The domain registration and hosting company has assured customers that the hack did not compromise customer products or account information. The company also said its internal systems were unaffected by the breach.
Crypto wallet provider MetaMask has also alerted its customers about this breach. MetaMask has urged its customers to avoid opening the links shared in phishing emails. The wallet provider has also assured its users that it does not gather any KYC information from users or use emails to send any information about user accounts.
Hackers used the Namecheap newsletter to send phishing emails
The post-analysis by Namecheap detected that the hackers sent these emails after accessing its newsletter list containing customers’ names and email addresses. Namecheap also said it took “full responsibility” for the email hack. It further said that it regretted any disclosure of customer information.
The company further said that it was keen to protect customer information, adding that it prioritized its customers’ safety and privacy. It also added that it was taking measures to ensure that customer information was not breached in the future.
The co-founder of cybersecurity firm Coro, Dror Liwer, noted that the breach on Namecheap stressed the need to control the accounts of all platforms an organization uses. Liwer further said that defending against phishing campaigns happened on the recipient’s end. Still, it was becoming more important to have protection measures at the source and prevent account takeovers that could lead to phishing campaigns.