NameCheap's Email Hacked To Send Metamask, DHL Phishing Emails

An anonymous reader quotes a report from BleepingComputer: Domain registrar Namecheap had their email account breached Sunday night, causing a flood of MetaMask and DHL phishing emails that attempted to steal recipients' personal information and cryptocurrency wallets. The phishing campaigns started around 4:30 PM ET and originated from SendGrid, an email platform used historically by Namecheap to send renewal notices and marketing emails. After recipients began complaining on Twitter, Namecheap CEO Richard Kirkendall confirmed that the account was compromised and that they disabled email through SendGrid while they investigated the issue.

Namecheap published a statement Sunday night stating that their systems were not breached but rather it was an issue at an upstream system that they use for email. 'We have evidence that the upstream system we use for sending emails (third-party) is involved in the mailing of unsolicited emails to our clients. As a result, some unauthorized emails might have been received by you,' reads a statement issued by Namecheap. 'We would like to assure you that Namecheap's own systems were not breached, and your products, accounts, and personal information remain secure.' After the phishing incident, Namecheap says they stopped all emails, including two-factor authentication code delivery, trusted devices' verification, and password reset emails, and began investigating the attack with their upstream provider. Services were restored later that night at 7:08 PM EST.

While Namecheap did not state the name of this upstream system, the CEO of Namecheap previously tweeted that they were using SendGrid, which is also confirmed in the phishing emails' mail headers. However, Twilio SendGrid told BleepingComputer that Namecheap's incident was not the result of a hack or compromise of the email service provider's systems, adding more confusion as to what happened: 'Twilio SendGrid takes fraud and abuse very seriously and invests heavily in technology and people focused on combating fraudulent and illegal communications. We are aware of the situation regarding the use of our platform to launch phishing email and our fraud, compliance and cyber security teams are engaged in the matter. This situation is not the result of a hack or compromise of Twilio's network. We encourage all end users and entities to take a multi-pronged approach to combat phishing attacks, deploying security precautions such as two factor authentication, IP access management, and using domain-based messaging. We are still investigating the situation and have no additional information to provide at this time.'

Read more of this story at Slashdot.