Unknown hackers compromised SendGrid, an email platform used historically by Namecheap to send renewal notices and marketing emails, to potential victims by camouflaging themselves as MetaMask and DHL in a major phishing campaign.

What happened?

In this campaign, attackers attempted to steal recipients' personal information and cryptocurrency wallets via phishing emails that appear to be from DHL and MetaMask.
  • The DHL phishing email pretends to be a bill for a delivery fee required to complete the delivery, and contains embedded links. On clicking, it leads the user to a phishing page attempting to steal the target's information.
  • The MetaMask phishing email pretends to be a required KYC verification to prevent wallet suspension and contains a marketing link from Namecheap.
  • On clicking, the link redirects the user to a phishing page prompting the user to enter their Secret Recovery Phrase or Private key.
  • Threat actors steal the entered recovery phrase or private key and use them to import the wallet to their own devices and steal all the funds and assets.

Namecheap’s clarification

Namecheap published a statement stating that its own systems were not breached, and customers’ products, accounts, and personal information were not impacted.
  • The company said it was an upstream system issue that it uses for sending (third-party) emails. It has contacted the upstream provider and is investigating to resolve the issue.
  • Namecheap says it has stopped all emails that include two-factor authentication code delivery, trusted devices’ verification, and password reset emails.
  • It is possible that SendGrid is the impacted upstream provider, however, Twilio SendGrid confirmed that this situation was not the result of a hack or compromise of its network.

Namecheap CEO said that this breach may be related to the exposure of API keys of Mailgun, MailChimp, and SendGrid in mobile apps in December last year.

Wrapping up

Although Namecheap suggested users ignore such emails and avoid clicking on any links, emails coming through Namecheap’s SendGrid account and digitally signed with DKIM look quite convincing and users are likely to fall for it. Users are suggested to complete processes such as KYC verification, password reset, and money-related transactions on official sites only.
Cyware Publisher

Publisher

Cyware