The email account of the registrar Namecheap was taken over by criminals this weekend. They misuse the account to send phishing emails on behalf of DHL and cryptocurrency companies. This may have happened via a third-party email marketing platform.
Emails from Namecheap’s primary mail account have been sending since Sunday, writes BleepingComputer, which has seen several of those messages. Users say on Twitter that they receive phishing messages from a Namecheap email address. That appears to be legit, and not spoofed or otherwise circumvented. For example, the messages would be validated with DKIM. Namecheap confirms that it also sees such signals from customers. The company refers to a support page For more information.
Users say phishing emails are coming in on behalf of DHL and cryptocurrency platform MetaMask. It contains a link similar to one from Namecheap, but where users must enter their cryptocurrency wallet information or other personal data.
Namecheap says its own systems were not hacked, but the emails were sent from a third party. That would be Sendgrid, an email marketing platform that hacked at the end of last year. At Sendgrid, but also at alternatives Mailchimp and Mailgun, API keys were leaked, making it possible to take over accounts.
According to Namecheap, that is probably the background of the phishing emails, but the company says it is investigating further and is in contact with Sendgrid to verify whether that is correct. Sendgrid’s parent company Twilio tells Bleepingcomputer that no hack has taken place on the systems, but does not say what happened or whether leaked API keys can be classified as a hack.