Domain registrar Namecheap had its email account hacked on Sunday evening, sparking a flood of MetaMask and DHL phishing emails that attempted to steal recipients’ personal information and cryptocurrency wallets.
The phishing campaigns began around 4:30 p.m. ET and originated from SendGrid, an email platform historically used by Namecheap to send renewal notices and marketing emails.
After recipients started complaining on Twitter, Namecheap CEO Richard Kirkendall confirmed that the account has been compromised and they have disabled email through SendGrid while they investigate the issue.
Kirkendall also said they believe the breach may be related to a December CloudSek Report on Mailgun, MailChimp, and SendGrid API keys exposed in mobile apps.
A deluge of emails
Phishing emails sent in this campaign impersonate DHL or MetaMask.
The DHL phishing email pretends to be an invoice for the delivery costs needed to complete the delivery of a package. Although BleepingComputer did not receive this email, we were told that the embedded links led to a phishing page attempting to steal the target’s information.
Beware of phishing emails from @NamecheapIt is @SendGrid account. DHL, MetaMask, digitally signed with DKIM. Looks like low-level hackers were able to break into their systems. PII seems to be exposed. pic.twitter.com/IuLE8mo2w6
— Kathy Zant (@kathyzant) February 12, 2023
BleepingComputer received the MetaMask phishing email, which claims to be a KYC (Know Your Customer) verification required to prevent the suspension of the wallet.
“We are writing to inform you that in order to continue using our wallet service, it is important to obtain KYC (Know Your Customer) verification. KYC verification helps us ensure that we are providing our services to legitimate customers” , indicates the MetaMask. phishing email.
“By performing KYC verification, you will be able to securely store, withdraw and transfer funds without any interruptions. It also helps us protect you against financial fraud and other security threats.”
“We urge you to complete KYC verification as soon as possible to avoid suspension of your wallet.”
This email contains a marketing link from Namecheap (https://links.namecheap.com/) that redirects the user to a phishing page posing as MetaMask.
This page prompts the user to enter their “Secret Recovery Phrase” or “Private Key”, as shown below.
Once a user provides the recovery phrase or private key, threat actors can use it to import the wallet to their own devices and steal all funds and assets.
If you received a DHL or MetaMask phishing email from Namecheap tonight, delete it immediately and do not click on any links.
BleepingComputer contacted Twilio about this breach and was informed that their systems were not hacked or breached.
BleepingComputer also contacted Namecheap, but no response was immediately available.