searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
February 13, 2023
Share

DHL, MetaMask phishing emails target Namecheap customers

A surge of phishing emails impersonating DHL and MetaMask have started hitting inboxes of Namecheap customers last week, attempting to trick recipients into sharing personal information or sharing their crypto wallet’s secret recovery phrase.

Attention @Namecheap users: be wary of suspicious emails claiming to be from DHL. #phishing scams are rampant and it's crucial to keep your personal information safe. Time for #Namecheap to enhance their security measures. #cybersecurity #emailscams pic.twitter.com/kTPvY90b7d

— Gbenga (@lemogbenga) February 12, 2023

Beware of phishing emails coming out of @Namecheap’s @SendGrid account. DHL, MetaMask, digitally signed with DKIM. Looks like low level hackers were able to get into their systems. PII looks to be exposed. pic.twitter.com/IuLE8mo2w6

— Kathy Zant (@kathyzant) February 12, 2023

How did it happen?

According to one source, the phishing campaign seems to have started last Thursday (and possibly even sooner), and then gathered steam by the end of the week.

The emails look like they were sent by Namecheap, prompting recipients to complain to the company, which then started an investigation and soon after reacted by stopping all the emails (Auth codes delivery, Trusted Devices’ verification, Password Reset emails, etc.).

Namecheap said that their own systems were not breached, and blamed the spam campaing on the upstream third-party system they use for sending emails.

Namecheap uses cloud-based platform SendGrid (owned by Twillio) to deliver its emails. Twillio is also investigating the matter, but claims that its network hasn’t been hacked, so for now everything points to Namecheap’s SendGrid account having been compromised.

Namecheap has yet to comment on what type of information was accessible to the attackers via that account, but it’s obvious that customer email addresses were (mis)used.

What now?

MetaMask has issued an alert today about the phishing emails, and DHL generally warns users that:

  • Official DHL communication is always sent from @dhl.com, @dpdhl.com, @dhl.de, @dhl.fr or another country domain after @dhl
  • The company never uses @gmail, @yahoo or other free email services to send emails
  • They never link to a website other than their own (starting with, for example, https://dhl.com/, https://dpdhl.com/, or a country/campaign website)

It’s impossible to gauge how many users fell for the scam.

UPDATE (February 13, 2023, 09:00 a.m. ET):

Namecheap CEO Richard Kirkendall says that they are investigating into whether the compromise of the account might have been the result of mobile apps leaking SendGrid API keys.

More about
  • account hijacking
  • DHL
  • namecheap
  • phishing
Share this

Featured news

  • Malicious ads creep into Bing Chat responses
  • How should organizations navigate the risks and opportunities of AI?
  • Why California’s Delete Act matters for the whole country
Guide: SaaS Offboarding Checklist

Sponsored

eBook: 9 Ways to Secure Your Cloud App Dev Pipeline

Free entry-level cybersecurity training and certification exam

Guide: Attack Surface Management (ASM)

Don't miss

Malicious ads creep into Bing Chat responses

How should organizations navigate the risks and opportunities of AI?

Why California’s Delete Act matters for the whole country

Yet another Chrome zero-day exploited in the wild! (CVE-2023-5217)

How to avoid the 4 main pitfalls of cloud identity management

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us