On the evening of February 12, unknown hackers hacked the e -mail of the Namecheap domain registrar, and then distributed phishing letters from the person Metamask and DHL, trying to steal personal information and cryptocurrency of Namecheap customers.
Fishting letters were sent on behalf of Sendgrid (Twillio subsidiary), e -mail platforms used by Namecheap to send notifications about the extension of the account and marketing mailings.
After numerous users’ complaints on Twitter*, General Director of Namecheap Richard Kirkendall confirmed that there was a record of accounting for record It is compromised and that they turned off the email through Sendgrid during the investigation of the incident.
Он также добавил, что нарушение может быть связано с раскрытием API-ключей Mailgun, MailChimp и SendGrid в мобильных приложениях, о котором компания CloudSek told in her report in December.
Fishing emails impersonate DHL and Metamask. The DHL email contains a delivery account, and the built -in links lead to a phishing page designed to steal information about the goal.
In turn, the letter from Metamask called on to undergo a KYC check (Know Your Customer) to continue using the wallet.
Fishy letter and fake page Metamask
This email contains a marketing link from Namecheap ( https://links.namecheap.com/ ), which redirects the user to fisching A page that isishand for Metamask. On this page, the user is invited to introduce a “secret recovery phrase” or “closed key”, as shown below.
As soon as the user provides a recovery phrase or a closed key, attackers can use them to import a wallet on their devices and theft of all means.
However, Namecheap denied hacking and added that this, most likely, was a problem in the higher system that the company uses for email. Domenov also assured his customers that their accounts and personal data remained safe
After the Namecheap incident, he stopped the newsletter of all emails, including sending a two -factor authentication code, checking trusted devices and emails to discharge a password, and began a joint investigation with SendGrid. All systems were restored later the same night.
However, Sendgrid said that the incident with Namecheap was not the result of hacking or compromising Sendgrid systems, which added even more confusion to the investigation of the incident. In addition, at the moment, the number of victims and the amount of stolen cryptocurrencies are unknown.
The company recommended that all end users and organizations apply an integrated approach to the fight against phishing attacks, implementing security measures, such as two -factor authentication, IP access control and the use of messaging based on domain.
*The social network is blocked in the territory of the Russian Federation.