Hackers hijack Namecheap's email platform to phish its customer base

Padlock being lifted by a fishing hook on a blue background to symbolise phishing attacks
(Image credit: Shutterstock)

Domain hosting company Namecheap has had its email service breached and used to send phishing emails disguised as cryptocurrency and delivery notices.

Threat actors compromised Sendgrid, a third-party communications platform used by Namecheap, to send emails to its customers, and began to send out phishing emails on Sunday.

The clients of Namecheap, which manages more than 16 million domains, have reported receiving scam emails made to look like notifications from delivery firm DHL, requesting victims pay a delivery fee at a link provided.

Others posed as verification requests from cryptocurrency wallet MetaMask, with a link that led users to a malicious website made to look like the MetaMask site.

Dozens of customers reported having received the phishing emails on the firm's dedicated Reddit community.

The emails urged victims to provide their ‘Secret Recovery Phrase’, which if provided would give the threat actors behind the campaign access to their cryptocurrency wallet.

The company has denied any breach of its internal environment, and that customer information is unaffected.

“We have evidence that the upstream system we use for sending emails (third party) is involved in the mailing of unsolicited emails to our clients,” said Namecheap in a blog post.

“As a result, some unauthorised emails might have been received by you. We would like to assure you that Namecheap’s own systems were not breached, and your products, accounts, and personal information remain secure.”

Namecheap launched an investigation into the breach, and at the time of writing has halted its email system to prevent further phishing emails being sent.

It stated that authentication codes and password reset emails will not be sent while the system is down.

“To be clear, the issue was with a third-party provider that we use to send our newsletter,” tweeted Richard Kirkendall, CEO at Namecheap.

“None of our own systems or customer accounts were breached. I sent a follow-up email to all users that were affected. The domains linked in the original phishing emails were also disabled.”

Kirkendall also suggested that the incident could be linked to a recent leak of Sendgrid API keys through the Google Play store.

CloudSEK released a report [PDF] on the leak, in which 600 apps were found to be leaking API keys to Sendgrid, Mailchimp, and Mailgun.

This left the popular platforms open to attack, with researchers warning at the time the report was published that those using the third-party services could see their emails hijacked for phishing or other malicious activity.

MetaMask has urged customers to refrain from interacting with emails pertaining to user wallets.


PowerEdge - Cyber resilient infrastructure for a Zero Trust world

Combat threats with an in-depth security stance


“MetaMask does not collect KYC info and will never email you about your account,” tweeted the web3 firm.

“Do not enter your Secret Recovery Phrase on a website ever. If you got an email today from MetaMask or Namecheap or anyone else like this, ignore it and do not click its links.”

Mailchimp also suffered a data breach in January, after a social engineering attack was carried out on a Mailchimp employee.

Customers of the platform were warned that they could be targeted with phishing emails in the aftermath of the breach, which saw threat actors steal customer names and email addresses.

Delivery scams became the most common from of smishing in the wake of the pandemic, and in June 2022 Kaspersky found ‘missed delivery’ phishing emails the most effective at luring in corporate victims in simulated tests.

IT Pro has approached Namecheap for more information.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.