Hackers gained access to Namecheap’s email account on Sunday night, leading to Metamask and DHL phishing emails trying to steal recipients’ crypto wallets and personally identifiable information respectively. The emails originated from Sendgrid and started dropping around 4:30 PM ET.
Since Namecheap uses Sendgrid to send renewal and marketing emails, the campaign didn’t cause much suspicion. Following complaints on Twitter, Namecheap CEO Richard Kirkendall confirmed the breach in a tweet (that has since been deleted) and stated that the company has disabled their Sendgrid email.
According to BleepingComputer, Kirkendall further added that the breach might be related to Mailgun, Mailchimp and Sendgrip API keys being exposed in mobile apps back in December. This refers to a CloudSEK report published in December where the security firm analysed 600 apps and found that half of them were leaking API keys to Mailgun, Mailchimp and Sendgrid.
The emails, as mentioned before were impersonating either DHL or Metamask. The DHL phishing email was disguised as a bill for delivery fees with embedded links designed to steal the recipient’s information. As for the Metamask emails, the hackers are pretending to run KYC (Know Your Customer) verification to prevent wallets from being suspended containing a marketing link from Namecheap that redirects to a phishing page asking the recipient to enter their secret recovery phrase or private key.
Namecheap addressed the issue as the “upstream system” they use being involved “in the mailing of unsolicited emails to our clients”. The company has since fixed the issue, restoring access to its email accounts and stated that its systems have not been affected. Customer data stored with Namecheap remains secure as well. Twilio also stated that its systems have not been exposed.Â
In the News: India finds its first Li-ion deposits in Jammu and Kashmir