Namecheap’s supplier breached and used to send phishing emails

Home / Threat Intelligence bulletins / Namecheap's supplier breached and used to send phishing emails

Target Industry

Opportunistic targeting.

Overview

Popular domain registrar, NameCheap, has had their email delivery account abused as part of a phishing campaign.

A wave of Metamask and DHL themed emails were reported on Sunday from hello@namecheap[.]com, an address used by the company for official communications.

Responding to complaints via social media, Namecheap attributed the issue to an unamed third-party service provider.

Initial analysis showed the emails had not been spoofed but were coming from legitimate marketing service, SendGrid.

Speaking to BleepingComputer, Twilio, the owners of SengGrid, said the situation was “not the result of a hack or compromise of Twilio’s network”.
In some Twitter threads, the CEO posted a link to an article about Google Apps leaking Sendgrid API keys which would seem to indicate that a stolen API key was involved.

Based on the timing of the complaints on social media, the attack started around 9pm UTC and normal service was restored around midnight.

Impact

Namecheap reports that their own infrastructure was not affected and customer data is safe, but it’s unknown how many victims were successfuly phished.
The use of a legitimate account meant that mail was more likely to bypass some security filters.
If successful, this campaign could result in the loss of sensitive data and financial fraud.

Containment, Mitigations & Remediations

Namecheap has regained control of their service and disabled the malicious links in the emails.

Indicators of Compromise

For a brief period of time on Sunday, the domain links.namecheap.com was being used to redirect to malicious sites.

Threat Landscape

It is likely the impact could have been a lot more severe if the phishing theme had been better matched to the abused account.
A properly themed lure from the official hello@namecheap[.]com email address could have been incredibly effective at stealing credentials.
A compromised domain registrar account could be used for domain takeovers leading to further attacks.