Domain registrar Namecheap's email hacked to send DHL, Metamask phishing emails

The email account of domain registrar Namecheap was hacked Sunday night, allowing cybercriminals to send phishing emails that aimed to steal recipients' personal information and cryptocurrency wallets.

According to a report by BleepingComputer, the phishing campaign originated from SendGrid, an email platform that Namecheap uses to send marketing emails and renewal notices. The phishing emails pretended to come from logistics provider DHL and cryptocurrency wallet Metamask.

The DHL emails claim that a parcel delivery was unsuccessful as the sender failed to pay the necessary delivery fee. To allegedly be able to proceed with the delivery, the email recipient has to pay the fee themselves. However, clicking on the "Track and Pay" button will lead the user to a fake DHL page that aims to steal their sensitive information.

Meanwhile, the Metamask email says that the recipient's account has been suspended and they need to complete a Know Your Customer (KYC) verification process to reactivate it. "By completing KYC verification, you will be able to securely store, withdraw, and transfer funds without any interruptions. It also helps us to protect you against financial fraud and other security threats," the email stated.

The email also contains a marketing link from Namecheap that redirects the user to a fake MetaMask page asking the user to enter their Secret Recovery Phrase or private key. Providing any of these enables threat actors to import the Metamask wallet to their own devices and drain all of its funds and assets.

After some recipients of the phishing emails started complaining, Namecheap CEO Richard Kirkendall confirmed that their email account was indeed hacked. The company also published a statement on its website:

Dear Customers,

We have evidence that the upstream system we use for sending emails (third-party) is involved in the mailing of unsolicited emails to our clients. As a result, some unauthorized emails might have been received by you.

We would like to assure you that Namecheap’s own systems were not breached, and your products, accounts, and personal information remain secure.

Please ignore such emails and do not click on any links.

We have stopped all the emails (that includes Auth codes delivery, Trusted Devices’ verification, and Password Reset emails, etc.) and contacted our upstream provider to resolve the issue. At the same time, we are also investigating the issue from our side.

We apologize for any inconvenience during this issue and thank you in advance for your patience and understanding.

Once we have any news from the responsible team, this post will be updated right away.

___________________

Kind regards,

Namecheap Support Team

In another later update, Namecheap announced that its mail delivery system has been restored. Despite this, it will continue investigating the issue.

One effective way to protect yourself from phishing attacks is by always thinking twice before opening links and attachments from unsolicited emails. Also, always check the URL of the website you're visiting. For example, if the website doesn't start with dhl.com or metamask.io, it could be fraudulent. Finally, always use strong passwords and enable multifactor authentication to make it more difficult for threat actors to infiltrate your online accounts.

Source: BleepingComputer, Namecheap | DHL email image via Kathy Zant (Twitter)

Domain registrar Namecheap's email hacked to send DHL, Metamask phishing emails