Domain registrar Namecheap had their email account breached Sunday night, causing a flood of MetaMask and DHL phishing emails that attempted to steal recipients’ personal information and cryptocurrency wallets.
The phishing campaigns started around 4:30 PM ET and originated from SendGrid, an email platform used historically by Namecheap to send renewal notices and marketing emails.
After recipients began complaining on Twitter, Namecheap CEO Richard Kirkendall confirmed that the account was compromised and that they disabled email through SendGrid while they investigated the issue.
Kirkendall also said that they believe the breach may be related to a December CloudSek report on the API keys of Mailgun, MailChimp, and SendGrid being exposed in mobile apps.
A flood of emails
The phishing emails sent in this campaign are impersonating either DHL or MetaMask.
The DHL phishing email pretends to be a bill for a delivery fee required to complete the delivery of a package. While BleepingComputer has not received this email, we were told that the embedded links lead to a phishing page attempting to steal the target’s information.
Beware of phishing emails coming out of @Namecheap’s @SendGrid account. DHL, MetaMask, digitally signed with DKIM. Looks like low level hackers were able to get into their systems. PII looks to be exposed. pic.twitter.com/IuLE8mo2w6
— Kathy Zant (@kathyzant) February 12, 2023
BleepingComputer did receive the MetaMask phishing email, which pretends to be a required KYC (Know Your Customer) verification to prevent the wallet from being suspended.
“We are writing to inform you that in order to continue using our wallet service, it is important to obtain KYC (Know Your Customer) verification. KYC verification helps us to ensure that we are providing our services to legitimate customers,” reads the MetaMask phishing email.
“By completing KYC verification, you will be able to securely store, withdraw, and transfer funds without any interruptions. It also helps us to protect you against financial fraud and other security threats.”
“We urge you to complete KYC verification as soon as possible to avoid suspension of your wallet.”
This email contains a marketing link from Namecheap (https://links.namecheap.com/) that redirects the user to a phishing page pretending to be MetaMask.
This page prompts the user to enter their ‘Secret Recovery Phrase’ or ‘Private key,’ as shown below.
Once a user provides either the recovery phrase or private key, the threat actors can use them to import the wallet to their own devices and steal all the funds and assets.
If you received either a DHL or MetaMask phishing email tonight from Namecheap, immediately delete it and do not click on any links.
BleepingComputer contacted Twilio about this breach and was told their systems were not hacked or breached.
BleepingComputer also contacted Namecheap, but a response was not immediately available.