Last week, Namecheap’s official email accounts were used to send phishing emails to the domain registrar’s customers.
One such message asked recipients to pay a fee so DHL could deliver their parcel. Another instructed recipients to submit personal information to stop their MetaMask accounts from being closed.
Fortunately, sharp-eyed users noticed something amiss when they saw the messages came from Namecheap, rather than DHL or MetaMask, and took to social media to raise the alarm. However, other users fell for the scam, losing thousands of dollars in the process.
Namecheap CEO Richard Kirkendall responded to a tweet by security researcher Troy Hunt, stating “the issue was within a 3rd party provider” Namecheap used for its newsletter. Kirkendall added, “None of our own systems or customer accounts where [sic] breached.”
Namecheap also posted an announcement about the incident on their status page, vaguely titled “Email Gateway Issue.” It confirmed “the upstream system we use for sending emails (third party) is involved in the mailing of unsolicited emails to our clients.”
The announcement again emphasized “Namecheap’s own systems were not breached, and your products, accounts, and personal information remain secure.”
To figure out what was going on, and to stop even more phishing emails from being sent, Namecheap suspended all of its email deliveries for a portion of time on Sunday. Although email deliveries were later restored, Namecheap provided very little additional information about what was happening.
Instead, the domain registrar said they would “continue to investigate the issue with the mailing of unsolicited emails” and promised to “keep you updated on the matter.” As of the time of writing, however, there have been no further updates.
Namecheap’s email provider denies breach
BleepingComputer reported SendGrid was the third-party provider handling Namecheap’s emails. However, Twilio, who owns SendGrid, told BleepingComputer “This situation is not the result of a hack or compromise of Twilio’s network.”
Exactly how attackers were able to send phishing emails from Namecheap’s accounts thus remains unclear.