warning Concerning e-mail from NameCheap

[pb]

I've just received a weird e-mail from NameCheap (attached below). It was sent from [email protected] (IP 149.72.141.59 - passed SPF, DKIM, DMARC) to the mail address I'm using with NameCheap, using my name&surname, and the links in the mail are under links.namecheap.com. If it's not a breach I don't know what it is...

 

[pb]

Can you compare this with other emails from nc:

Message-ID: <[email protected]geopod-ismtpd-5-1>

Previous (legitimate) mail from [email protected] has Message-ID [email protected]

 

[Future Sensors]

https://www.mail-archive.com/[email protected]/msg10381.html

^ This is a relevant thread for NC support.

 

[Rhinnnn]

Apparently, someone already lost money on this:

https://twitter.com/i/web/status/1624884429029007362

Not sure why people just click links... An email from Namecheap regarding your MetaMask wallet (two unrelated things) should instantly raise suspicions.

 

[Rhinnnn]

Statement from Namecheap:

https://www.namecheap.com/status-updates/archives/74848

The most important part:

"your products and account details are not affected by this issue."

 

[Future Sensors]

Statement from Namecheap:

https://www.namecheap.com/status-updates/archives/74848

The most important part:

"your products and account details are not affected by this issue."

As something similar has happened in 2021, NC has to check thoroughly whether the issue gets really resolved. On their end and with their partners.

 

[lovely4ever]

I received the same from two suspicious emails @namecheap !!

.

 

[bmugford]

Statement from Namecheap:

https://www.namecheap.com/status-updates/archives/74848

The most important part:

"your products and account details are not affected by this issue."

This is kind of a big deal.

Dear Customers,

We have evidence that the upstream system we use for sending emails is involved. We have stopped all the emails and contacted our upstream provider to resolve the issue.

As a result, some unauthorized emails might have been received by you.

Please ignore such emails and do not click on any links. We are currently investigating the situation.

Once we have any news from the responsible team, this post will be updated right away.

Please rest assured that your products and account details are not affected by this issue.

We apologize for any inconvenience during this issue and thank you in advance for your patience and understanding.

 

[Rhinnnn]

This is kind of a big deal.

Dear Customers,

We have evidence that the upstream system we use for sending emails is involved. We have stopped all the emails and contacted our upstream provider to resolve the issue.

As a result, some unauthorized emails might have been received by you.

Please ignore such emails and do not click on any links. We are currently investigating the situation.

Once we have any news from the responsible team, this post will be updated right away.

Please rest assured that your products and account details are not affected by this issue.

We apologize for any inconvenience during this issue and thank you in advance for your patience and understanding.

Yes, that part is important but at least we know that Namecheap itself hasn't been hacked.

 

[Future Sensors]

NameCheap's own credentials at Sendgrid (if that's the partner) could have been compromised.

Example scenario:

https://www.bleepingcomputer.com/ne...used-in-phishing-attacks-to-steal-logins/amp/

Anyone in contact w/ their support should mention this. I have no account at NC.

 

[Jeffrey]

I received those same emails too. But didn't click. So, I headed to Namepros right away to check any updates about this.

So the email service was only that got hacked.

Regardless, I'm still moving my domains out of Namecheap.

 

[LoveCatchyDomains]

This is kind of a big deal.

Yes, if they have been hacked, and now emails are being sent, that is a big deal.

So Namecheap is indicating that it is an upstream provider security issue?

Perhaps they should also check for potential hacking involving their recurrent Fast Transfer authorizations showing up unexpectedly. This has been a recurrent problem recently for me, including at present. Since it involves domains also showing up unexpectedly at GoDaddy auctions and Afternic, there is certainly a security concern here.

Not a good day for Namecheap. Hopefully they are able to quickly rectify both situations.

 

[Future Sensors]

From 2020:

https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/

 

[Surya Giri Kurniawan]

I hope no one became the victim of this phising email. I am almost click it, but I realized my Metamask is using my other email. I had a valuable NFT given by my boss there, it is bought by a sum of money, so it makes me panicked. And after check it the email is from namecheap 😃..

 

[Future Sensors]

And after check it the email is from namecheap

Well, pretends to be NameCheap.

 

[Surya Giri Kurniawan]

Others got email from [email protected] and I got from [email protected]. Namecheap should investigate their new employee, just make sure no one from internal doing something bad. It seems sent by 2 different emails from Namecheap

 

[Future Sensors]

https://www.bleepingcomputer.com/ne...-hacked-to-send-metamask-dhl-phishing-emails/

 

[bmugford]

https://www.bleepingcomputer.com/ne...-hacked-to-send-metamask-dhl-phishing-emails/

That's a pretty damning headline -

NameCheap's email hacked to send Metamask, DHL phishing emails​

This is not something that can just be dismissed as no big deal.

People can actually lose assets because of this.

Sure, you should not be clicking on random links in email for things like MetaMask, but at the same time when the emails are actually coming from NameCheap...that is a big deal.

Brad

 

[bmugford]

https://twitter.com/i/web/status/1624926194532581377

 

[Future Sensors]

That's a pretty damning headline -

NameCheap's email hacked to send Metamask, DHL phishing emails​

It is. NameCheap CEO thinks it may be related to this API (key) leak at Sendgrid, https://cybernews.com/security/mailchimp-mailgun-and-sendgrid-api-leak/

Not sure yet if the title is correct @ bleeping computer. Could be a larger security issue at Sendgrid, too. Let's keep monitoring the outcome of the investigations, both at NC and SG.

 

[Future Sensors]

Thanks to @pb for starting this thread on NamePros.

 

[asxforum]

Got them here in PH . They did look suspicious from the start . They just got deleted .

 

[Bob Hawkes]

Yes, thanks for the alert by starting this thread, @pb I did not personally get either email, so they must not have gone to all NC customers.

Namecheap now have an update that service has been restored (they had stopped any emails including auth codes).

I hope we will learn more from Namecheap after investigation is complete.

-Bob

 

[Future Sensors]

These third parties can be a nasty attack vector with major consequences for domain owners. For example, last year I explicitly requested a registrar to a) no longer include all individual authorization codes for all domains when requesting the domain portfolio (this could not be turned off, the auth codes were always included), b) arrange downloading of the portfolio through the trusted, TLS secured website of the registrar instead of emailing unsecured CSVs with all auth codes through the external third party mail service, and c) more often use direct URL links to the registrar's website in email communications, for example when it comes to opt-ins for Afternic .

 

[Surya Giri Kurniawan]

Quote from Twilio comments : This situation is not the result of a hack or compromise of Twilio’s network.

Source : https://www.bleepingcomputer.com/ne...-hacked-to-send-metamask-dhl-phishing-emails/

 

[Future Sensors]

Twilio Corp. chooses their wording here extremely carefully. It may not be a "hack" or "network compromise", but the following has definitely happened:

https://www.infosecurity-magazine.com/news/api-keys-email-marketing-services/

---