Get in Touch
Namecheap’s supplier breached and used to send phishing emails
Popular domain registrar, NameCheap, has had their email delivery account abused as part of a phishing campaign.
A wave of Metamask and DHL themed emails were reported on Sunday from [email protected][.]com, an address used by the company for official communications.
Responding to complaints via social media, Namecheap attributed the issue to an unamed third-party service provider.
Initial analysis showed the emails had not been spoofed but were coming from legitimate marketing service, SendGrid.
Speaking to BleepingComputer, Twilio, the owners of SengGrid, said the situation was “not the result of a hack or compromise of Twilio’s network”.
In some Twitter threads, the CEO posted a link to an article about Google Apps leaking Sendgrid API keys which would seem to indicate that a stolen API key was involved.
Based on the timing of the complaints on social media, the attack started around 9pm UTC and normal service was restored around midnight.
Namecheap reports that their own infrastructure was not affected and customer data is safe, but it’s unknown how many victims were successfuly phished.
The use of a legitimate account meant that mail was more likely to bypass some security filters.
If successful, this campaign could result in the loss of sensitive data and financial fraud.
Containment, Mitigations & Remediations
Namecheap has regained control of their service and disabled the malicious links in the emails.
Indicators of Compromise
For a brief period of time on Sunday, the domain links.namecheap.com was being used to redirect to malicious sites.
It is likely the impact could have been a lot more severe if the phishing theme had been better matched to the abused account.
A properly themed lure from the official [email protected][.]com email address could have been incredibly effective at stealing credentials.
A compromised domain registrar account could be used for domain takeovers leading to further attacks.
No specific threat group has been attributed at the time of writing.
T1566.002– Phishing: Spearphishing Link
T1078.004 – Valid Accounts: Cloud Accounts
T1199 – Trusted Relationship
IN PROGRESS EMAIL GATEWAY ISSUE
MailChimp, Mailgun, and Sendgrid API leak endangered over 54M users
Hardcoded API Keys of Email Marketing Services Puts 54M+ Mobile App Users at Risk