Attackers send authentic phishing emails in the name of registrar Namecheap

The email account of the registrar Namecheap was taken over by criminals this weekend. They misuse the account to send phishing emails on behalf of DHL and cryptocurrency companies. This may have happened via a third-party email marketing platform.

Emails from Namecheap’s primary email account have been sent since Sunday, writes BleepingComputer, which has seen several of those messages. Users say on Twitter that they receive phishing messages from a Namecheap email address. That appears to be legitimate, and not spoofed or otherwise circumvented. This way the messages would have been validated with DKIM. Namecheap confirms that it also sees such signals from customers. The company refers to a support page For more information.

Users say that phishing emails are coming in on behalf of DHL and cryptocurrency platform MetaMask. It contains a link that appears to come from Namecheap, but requires users to enter their cryptocurrency wallet information or other personal data.

Namecheap says its own systems were not hacked, but that the emails were sent from a third party. That would be Sendgrid, an email marketing platform that was hacked at the end of last year. At Sendgrid, but also at alternatives Mailchimp and Mailgun, API keys have been leaked, making it possible to take over accounts.

According to Namecheap, this is probably the background to the phishing emails, but the company says it is conducting further investigation and is in contact with Sendgrid to verify whether this is correct. Sendgrid’s parent company Twilio tells Bleepingcomputer that no hack has occurred on the systems, but does not say what did happen and whether leaked API keys can be classified as a hack.