A surge of phishing emails impersonating DHL and MetaMask have started hitting inboxes of Namecheap customers last week, attempting to trick recipients into sharing personal information or sharing their crypto wallet’s secret recovery phrase.
Attention @Namecheap users: be wary of suspicious emails claiming to be from DHL. #phishing scams are rampant and it’s crucial to keep your personal information safe. Time for #Namecheap to enhance their security measures. #cybersecurity #emailscams pic.twitter.com/kTPvY90b7d
— Gbenga (@lemogbenga) February 12, 2023
Beware of phishing emails coming out of @Namecheap’s @SendGrid account. DHL, MetaMask, digitally signed with DKIM. Looks like low level hackers were able to get into their systems. PII looks to be exposed. pic.twitter.com/IuLE8mo2w6
— Kathy Zant (@kathyzant) February 12, 2023
How did it happen?
According to one source, the phishing campaign seems to have started last Thursday (and possibly even sooner), and then gathered steam by the end of the week.
The emails look like they were sent by Namecheap, prompting recipients to complain to the company, which then started an investigation and soon after reacted by stopping all the emails (Auth codes delivery, Trusted Devices’ verification, Password Reset emails, etc.).
Namecheap said that their own systems were not breached, and blamed the spam campaing on the upstream third-party system they use for sending emails.
Namecheap uses cloud-based platform SendGrid (owned by Twillio) to deliver its emails. Twillio is also investigating the matter, but claims that its network hasn’t been hacked, so for now everything points to Namecheap’s SendGrid account having been compromised.
Namecheap has yet to comment on what type of information was accessible to the attackers via that account, but it’s obvious that customer email addresses were (mis)used.
What now?
MetaMask has issued an alert today about the phishing emails, and DHL generally warns users that:
- Official DHL communication is always sent from @dhl.com, @dpdhl.com, @dhl.de, @dhl.fr or another country domain after @dhl
- The company never uses @gmail, @yahoo or other free email services to send emails
- They never link to a website other than their own (starting with, for example, https://dhl.com/, https://dpdhl.com/, or a country/campaign website)
It’s impossible to gauge how many users fell for the scam.