Domain hosting company Namecheap has had its email service breached and used to send phishing emails disguised as cryptocurrency and delivery notices.
Threat actors compromised Sendgrid, a third-party communications platform used by Namecheap, to send emails to its customers, and began to send out phishing emails on Sunday.
The clients of Namecheap, which manages more than 16 million domains, have reported receiving scam emails made to look like notifications from delivery firm DHL, requesting victims pay a delivery fee at a link provided.
Others posed as verification requests from cryptocurrency wallet MetaMask, with a link that led users to a malicious website made to look like the MetaMask site.
Dozens of customers reported having received the phishing emails on the firm's dedicated Reddit community.
The emails urged victims to provide their ‘Secret Recovery Phrase’, which if provided would give the threat actors behind the campaign access to their cryptocurrency wallet.
The company has denied any breach of its internal environment, and that customer information is unaffected.
“We have evidence that the upstream system we use for sending emails (third party) is involved in the mailing of unsolicited emails to our clients,” said Namecheap in a blog post.
“As a result, some unauthorised emails might have been received by you. We would like to assure you that Namecheap’s own systems were not breached, and your products, accounts, and personal information remain secure.”
Namecheap launched an investigation into the breach, and at the time of writing has halted its email system to prevent further phishing emails being sent.
It stated that authentication codes and password reset emails will not be sent while the system is down.
“To be clear, the issue was with a third-party provider that we use to send our newsletter,” tweeted Richard Kirkendall, CEO at Namecheap.
“None of our own systems or customer accounts were breached. I sent a follow-up email to all users that were affected. The domains linked in the original phishing emails were also disabled.”
Kirkendall also suggested that the incident could be linked to a recent leak of Sendgrid API keys through the Google Play store.
CloudSEK released a report [PDF] on the leak, in which 600 apps were found to be leaking API keys to Sendgrid, Mailchimp, and Mailgun.
This left the popular platforms open to attack, with researchers warning at the time the report was published that those using the third-party services could see their emails hijacked for phishing or other malicious activity.
MetaMask has urged customers to refrain from interacting with emails pertaining to user wallets.
RELATED RESOURCE
PowerEdge - Cyber resilient infrastructure for a Zero Trust world
Combat threats with an in-depth security stance
“MetaMask does not collect KYC info and will never email you about your account,” tweeted the web3 firm.
“Do not enter your Secret Recovery Phrase on a website ever. If you got an email today from MetaMask or Namecheap or anyone else like this, ignore it and do not click its links.”
Mailchimp also suffered a data breach in January, after a social engineering attack was carried out on a Mailchimp employee.
Customers of the platform were warned that they could be targeted with phishing emails in the aftermath of the breach, which saw threat actors steal customer names and email addresses.
Delivery scams became the most common from of smishing in the wake of the pandemic, and in June 2022 Kaspersky found ‘missed delivery’ phishing emails the most effective at luring in corporate victims in simulated tests.
IT Pro has approached Namecheap for more information.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Azure AD vulnerability gave attackers backdoor authentication controlNews Secureworks shared its findings with Microsoft in 2022, and the company has since issued changes to improve audit logs
-
Using APIs to rewire supply chains in 2023In-depth Supply chains are on the mend after breaking down recently, and APIs are helping stakeholders get a better handle on data
-
Better APIs for better businessWhitepaper Realities of API security
-
The IT Pro Podcast: The problem with APIsIT Pro Podcast With API attacks on the rise, knowing your attack surface is crucial
-
Podcast transcript: The problem with APIsIT Pro Podcast Read the full transcript for this episode of the IT Pro Podcast
-
Magic quadrant for application performance monitoring and observabilityWhitepaper Enabling continuous updating of diverse & dynamic application environments
-
Twitter API keys found leaked in over 3,200 apps, raising concerns for linked accountsNews Business and verified Twitter accounts linked to affected apps are at risk of takeover, use in malicious campaigns
-
Google brings Privacy Sandbox initiative to AndroidNews Multi-year effort likely to bring new Topics API to mobile OS
