Hackers gained access to the Namecheap email system and used it to send MetaMask and DHL phishing emails aimed at customers’ personal and crypto wallet information.
Namecheap confirmed its upstream email system had been hacked in a status update and warned customers of an ongoing phishing campaign. Because they were sent from Namecheap’s account, the emails appeared to be legitimate.
The domain registrar, which has been praised for recent security improvements, stated that its own systems were not compromised and that no products, accounts, or personal information were affected.
After receiving complaints on Twitter, Namecheap CEO Richard Kirkendall confirmed that the account had been compromised and that email through SendGrid had been disabled while they investigated the problem. Kirkendall also stated that they believe the breach is related to a December CloudSek report about Mailgun, MailChimp, and SendGrid API keys being exposed in mobile apps.
This campaign’s phishing emails impersonate either DHL or MetaMask. The DHL phishing email appears to be a bill for a delivery fee required to complete a package delivery. The embedded links take the target to a phishing page that attempts to steal the target’s information.
While The MetaMask phishing emails included a link (https://links.namecheap.com/) that redirected the victims to a phishing page requesting the victims’ “Secret Recovery Phrase” or “Private key” that hackers could use to take over their wallets. They also impersonated MetaMask, a self-hosted wallet provider, and asked victims to complete the KYC (Know Your Customer) verification process in order to keep access to their crypto wallets.
The sources for this piece include an article in CPOMAGAZINE.