warning Concerning e-mail from NameCheap

[pb]

I've just received a weird e-mail from NameCheap (attached below). It was sent from [email protected] (IP 149.72.141.59 - passed SPF, DKIM, DMARC) to the mail address I'm using with NameCheap, using my name&surname, and the links in the mail are under links.namecheap.com. If it's not a breach I don't know what it is...

 

[Rhinnnn]

Apparently, someone already lost money on this:

https://twitter.com/x/status/1624884429029007362

Not sure why people just click links... An email from Namecheap regarding your MetaMask wallet (two unrelated things) should instantly raise suspicions.

 

[pb]

Just got another one:

The underlying link, once again, is https://links.namecheap.com/u/click?(something)

Different IP - 167.89.64.95 - but again passes SPF, DKIM, DMARC. Both IPs belong to SendGrid, Inc.

 

[Future Sensors]

Thanks to @pb for starting this thread on NamePros.

 

[Future Sensors]

Statement from Namecheap:

https://www.namecheap.com/status-updates/archives/74848

The most important part:

"your products and account details are not affected by this issue."

As something similar has happened in 2021, NC has to check thoroughly whether the issue gets really resolved. On their end and with their partners.

 

[Rhinnnn]

Got that email, too.

It seems to be legitimately from a Namecheap email address. If that's the case, they've been hacked (probably).

I hope no one clicks on anything in these emails.

 

[Future Sensors]

Also, don't underestimate the actors.

https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds

https://therecord.media/north-korea...rs-salary-bumps-as-lure-for-crypto-theft/amp/

 

[Rhinnnn]

Statement from Namecheap:

https://www.namecheap.com/status-updates/archives/74848

The most important part:

"your products and account details are not affected by this issue."

 

[Future Sensors]

These third parties can be a nasty attack vector with major consequences for domain owners. For example, last year I explicitly requested a registrar to a) no longer include all individual authorization codes for all domains when requesting the domain portfolio (this could not be turned off, the auth codes were always included), b) arrange downloading of the portfolio through the trusted, TLS secured website of the registrar instead of emailing unsecured CSVs with all auth codes through the external third party mail service, and c) more often use direct URL links to the registrar's website in email communications, for example when it comes to opt-ins for Afternic .

 

[Future Sensors]

Twilio Corp. chooses their wording here extremely carefully. It may not be a "hack" or "network compromise", but the following has definitely happened:

https://www.infosecurity-magazine.com/news/api-keys-email-marketing-services/

---

 

[Rhinnnn]

For both of you, do you have privacy on for your Namecheap domains?

I always have privacy on.

 

[pb]

Are you sure they are coming from NameCheap?
Is that what it shows in the email header?

Yes and yes.

 

[bmugford]

Statement from Namecheap:

https://www.namecheap.com/status-updates/archives/74848

The most important part:

"your products and account details are not affected by this issue."

This is kind of a big deal.

Dear Customers,

We have evidence that the upstream system we use for sending emails is involved. We have stopped all the emails and contacted our upstream provider to resolve the issue.

As a result, some unauthorized emails might have been received by you.

Please ignore such emails and do not click on any links. We are currently investigating the situation.

Once we have any news from the responsible team, this post will be updated right away.

Please rest assured that your products and account details are not affected by this issue.

We apologize for any inconvenience during this issue and thank you in advance for your patience and understanding.

 

[Future Sensors]

NameCheap's own credentials at Sendgrid (if that's the partner) could have been compromised.

Example scenario:

https://www.bleepingcomputer.com/ne...used-in-phishing-attacks-to-steal-logins/amp/

Anyone in contact w/ their support should mention this. I have no account at NC.

 

[pb]

For both of you, do you have privacy on for your Namecheap domains?

I don't have any domains at namecheap and I haven't for over a year.

 

[Future Sensors]

This is from 2021, also involving namecheap:

https://www.mailguard.com.au/blog/p...laims-your-package-is-ready-employs-recaptcha

They're probably using namecheap mail services as a customer of namecheap. Can you check complete headers and share?

 

[Rhinnnn]

Yes, it's from the authorised IP (I added that info above). I tried the link in a separate browser but it didn't open, so maybe they already blocked it. Or maybe so many people are clicking that the server got overwhelmed.

That Track and Pay button in the email is intended to lead those who click on it at mysafebridge.info -- a domain registered today at NameSilo (I haven't visited the domain and no one should).

But yeah, these emails definitely come from a Namecheap address. So it's either:

1) a hack
2) some employee-gone-bad who will regret all this

 

[Future Sensors]

That's a pretty damning headline -

NameCheap's email hacked to send Metamask, DHL phishing emails​

It is. NameCheap CEO thinks it may be related to this API (key) leak at Sendgrid, https://cybernews.com/security/mailchimp-mailgun-and-sendgrid-api-leak/

Not sure yet if the title is correct @ bleeping computer. Could be a larger security issue at Sendgrid, too. Let's keep monitoring the outcome of the investigations, both at NC and SG.

 

[Bob Hawkes]

Yes, thanks for the alert by starting this thread, @pb I did not personally get either email, so they must not have gone to all NC customers.

Namecheap now have an update that service has been restored (they had stopped any emails including auth codes).

I hope we will learn more from Namecheap after investigation is complete.

-Bob

 

[forge]

unexplained FT listings

OK, I'm feeling dumb... what's FT? (fast transfer?)

 

[pb]

Got that email, too.

It seems to be legitimately from a Namecheap email address. If that's the case, they've been hacked (probably).

I hope no one clicks on anything in these emails.

Yes, it's from the authorised IP (I added that info above). I tried the link in a separate browser but it didn't open, so maybe they already blocked it. Or maybe so many people are clicking that the server got overwhelmed.

 

[pb]

167.89.64.95 is o6.mailservice.namecheap.com.
149.72.141.59 is o21.mailservice.namecheap.com.

 

[pb]

Can you check complete headers and share?

I hope I cleaned it up properly...

Delivered-To: [my_mail]
Received: by 2002:a0c:d7d1:0:b0:534:7395:29d9 with SMTP id g17csp2940914qvj;
Sun, 12 Feb 2023 13:25:38 -0800 (PST)
X-Received: by 2002:a81:dc05:0:b0:52f:aab:5f71 with SMTP id h5-20020a81dc05000000b0052f0aab5f71mr3056322ywj.17.1676236897621;
Sun, 12 Feb 2023 13:21:37 -0800 (PST)
X-Google-Smtp-Source: AK7set/Y4XLx6CUK4OPxgJoIyt2DYAR+8D4ffd9SYC4vUjctrlsNbeaVzVErxRFqkbrLcN6ntkhJ
X-Received: by 2002:a81:dc05:0:b0:52f:aab:5f71 with SMTP id h5-20020a81dc05000000b0052f0aab5f71mr3056291ywj.17.1676236896577;
Sun, 12 Feb 2023 13:21:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1676236896; cv=none;
d=google.com; s=arc-20160816;
b=vwjrJ7FGyVmDEbg1vM/FC69WX8ryfO2kfsjVQg01oxJ2OuluO9plzeu2HTFIPKZYbc
Re8Jjxa76XVwTNIW6hAn1cAQfqpDso49LpRykpLglpZvOva6lG+5wkbZN6zXEMKFLUPJ
wBhDXsDPsFT+7f/AFjqitOq8ITRyZzlB0fFsyMP4BdartI5UW8dEqKhN3YamLND1hvUY
GwJrjTP9QGk/yBH11Ibn35iGk1X73oEAe9o40lu3g2yCWypT4t+SLSwlWCkrg7sTIv9r
5rqdHRpg9oCB7LzlXQ7NdQa9imjyU/+oXcqFvfj5pN2GoZGMM7dYiHXsbu14/Orx3aon
EtWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:reply-to:message-id:subject:mime-version:list-unsubscribe:from
:feedback-id:date:dkim-signature;
bh=5MLgTLrZB0u3RqAQCStwUI5dGjMMNfLn7ZSO3geJAnk=;
b=Wt2rGZotauheFnx5RaB4CGAKO1pYT9SXoyDaaoXuFk9/y1Wu2iKuOD3dS1gkkBaeVA
jrXFdiSo2laJs1uzrOs2I2Au3DVGC1vBjrPm7JEZe7o5tRPrLn4e64Ipvs1+nV68iUOc
oRUNa+2RwKyUCr6uEbB/l3v34Z46ECY4ZUsGIzMLoBuELiDWKd/5rYqMYTpoFCutEtmx
X1qbRjgvasCY+1CFPJo9nnwsF49HOD5wZ3ZsJNiE7weFFKFZtT0ZJSUCTHYcbwAI62Pw
xFAQ9xWyLL4UdjjwQEALwuMHsADjKrmZJTqfQ2+4ilqADrzjmqU3hPA+7LVUFNkFRfmY
B/Ow==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=s1 header.b=ythgTo4+;
spf=pass (google.com: domain of bounces+4793763-779e-[my_mail]@mailserviceemailout1.namecheap.com designates 167.89.64.95 as permitted sender) smtp.mailfrom="bounces+4793763-779e-[my_mail]@mailserviceemailout1.namecheap.com";
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=namecheap.com
Return-Path: <bounces+4793763-779e-[my_mail]@mailserviceemailout1.namecheap.com>
Received: from o6.mailservice.namecheap.com (o6.mailservice.namecheap.com. [167.89.64.95])
by mx.google.com with ESMTPS id q132-20020a815c8a000000b004fd32b6075dsi12268336ywb.116.2023.02.12.13.21.36
for <[my_mail]>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Sun, 12 Feb 2023 13:21:36 -0800 (PST)
Received-SPF: pass (google.com: domain of bounces+4793763-779e-[my_mail]@mailserviceemailout1.namecheap.com designates 167.89.64.95 as permitted sender) client-ip=167.89.64.95;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=s1 header.b=ythgTo4+;
spf=pass (google.com: domain of bounces+4793763-779e-[my_mail]@mailserviceemailout1.namecheap.com designates 167.89.64.95 as permitted sender) smtp.mailfrom="bounces+4793763-779e-[my_mail]@mailserviceemailout1.namecheap.com";
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=namecheap.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=namecheap.com; h=content-type:from:list-unsubscribe:mime-version:subject:reply-to:to: cc:content-type:from:subject:to; s=s1; bh=5MLgTLrZB0u3RqAQCStwUI5dGjMMNfLn7ZSO3geJAnk=; b=ythgTo4+iQ/nQOitKZGKF28zU6G9lG8+FsJ/NRZ/QXINc8XV5jDxHBXf4vWQjhDzu8xh EjXnml9zYCNktsRYA2kNosXZaeCJPNDUgaDh3hD81YCueLwazlffCCXDEbjmjc7wk0TZgk qu76uksj2q8Sd8n+1j0NDr16LOV0Q0h7jh/V4hRbg8ffiDmtol42IOOEX4h1V+AECpYcrV a4Z3q10/72Gf3XClDeMBkV8spyjs7lG8JyuPVZsy5PIMfGSdxA4ODZav4tPgOvUzS4fY5P MYkTPyWDXyzzflgeXWQuK0+IF/21xOVeQsoEXOc8e1EMXSVGUP5XvTBg0Uen9O9g==
Received: by filterdrecv-b79bb7454-xcf6j with SMTP id filterdrecv-b79bb7454-xcf6j-1-63E9585F-68
2023-02-12 21:21:35.774950246 +0000 UTC m=+181305.375421437
Received: from NDc5Mzc2Mw (unknown) by geopod-ismtpd-5-1 (SG) with HTTP id iMbMpeRzStOHPFrYXY7ilw for <[my_mail]>; Sun, 12 Feb 2023 21:21:35.707 +0000 (UTC)
Content-Type: multipart/alternative; boundary=f0f40b2bef6c62308fe702efeef447e1b23e2fbac9576460ad841833ad94
Date: Sun, 12 Feb 2023 21:21:35 +0000 (UTC)
Feedback-ID: 8288221:6168579:9774:iterable
From: "contact ." <[email protected]>
List-Unsubscribe: <[unsubscribe_link]>,<mailto:[unsubscribe_mail]>
Mime-Version: 1.0
Subject: MetaMask : Your wallet is about to be suspended
X-Campaign-ID: 6168579
X-Message-ID: 685fbf8d22a8421a95c168e93916e61f
Message-ID: <iMbMpeRzStOHPFrYXY7ilw@geopod-ismtpd-5-1>
Reply-To: [email protected]
X-SG-EID: Sf/6gCYo6POogvTNeXQAUzuhmXXiY87VJrtPmjowdxcnfIoiiBzj+ETkhZGZDH6sNJMxo5N6KSgz1KVpBNNeXyVTYMIc/872sN3zsHmg6OTpcF48786LQ9oosrBa7X7eZUH1vRFT99T7UY+psJX4VDmFrCCdv8uhTvriG5RKEXtURiWQ/G6H76FR+DNWtVOb8yeQMRBYeJclrEFpqGGUS8b5nV0MQ81knBl8jngQJqU=
X-SG-ID: N2C25iY2uzGMFz6rgvQsb8raWjw0ZPf1VmjsCkspi/IARr5ApfQLGQYXi0KvHQ0z32Z/Xww8RCO+g+UQxQyQwD8nqfalxxxSXPrzzNr3pDyUfT2Mjz/Rg7yupzSi4u2IkbJGO7iOjw2ujQBua7la45RNbNYx+HESYUWPZfz9Jwtan4IT2ZWk0TFl6bxL6fyxhfcLb7GOGBYIl95ttL4aWg==
To: [my_name] <[my_mail]>
X-Entity-ID: nYXv3xAQEE15JmfKP56ELQ==

 

[Rhinnnn]

This is kind of a big deal.

Dear Customers,

We have evidence that the upstream system we use for sending emails is involved. We have stopped all the emails and contacted our upstream provider to resolve the issue.

As a result, some unauthorized emails might have been received by you.

Please ignore such emails and do not click on any links. We are currently investigating the situation.

Once we have any news from the responsible team, this post will be updated right away.

Please rest assured that your products and account details are not affected by this issue.

We apologize for any inconvenience during this issue and thank you in advance for your patience and understanding.

Yes, that part is important but at least we know that Namecheap itself hasn't been hacked.

 

[bmugford]

https://www.bleepingcomputer.com/ne...-hacked-to-send-metamask-dhl-phishing-emails/

That's a pretty damning headline -

NameCheap's email hacked to send Metamask, DHL phishing emails​

This is not something that can just be dismissed as no big deal.

People can actually lose assets because of this.

Sure, you should not be clicking on random links in email for things like MetaMask, but at the same time when the emails are actually coming from NameCheap...that is a big deal.

Brad