This article is more than 1 year old

Namecheap admits 'unauthorized emails' pwning its customers

Blames 'third-party provider' as phishers drain Ethereum wallets

Domain registrar Namecheap blamed a "third-party provider" that sends its newsletters after customers complained of receiving phishing emails from Namecheap's system.

CEO Richard Kirkendall appears to have named the provider as SendGrid in a since-deleted tweet this morning.

More than one customer noted that the emails – which purported to be from DHL and crypto-asset wallet provider MetaMask – were digitally signed with DKIM and received at distinct emails they'd assigned solely for comms with Namecheap.

The DHL emails – reproduced by several users here, here and here – dangle the phisher's favorite lure: just pay this delivery fee and you'll get this sweet package.

The MetaMask phish, on the other hand, asked owners of its crypto wallets for "Know Your Customer" (KYC) information. MetaMask is a digital wallet that allows you to store and use Ethereum tokens and does not require KYC process as it is not subject to regulations meant for "financial services" providers like banks. If you've got any MetaMask pals whose wallets were drained, you can tell them this is because MetaMask doesn't provide any financial services. Too late, it seems, for a Twitter accountholder calling themselves redcheeks, who said they'd lost all their Ethereum.

We note that not all customers were impressed with Namecheap's finger pointing. One user complained: "You're missing the point entirely. The burden of responsibility doesn't go away if they share information to a 3rd party, no matter the reason."

Kirkendall's Twitter account responded to this early this morning, stating: "absolutely not but again it's common practice to use 3rd parties to send email, help desks, even an email system itself. We mostly build our own tools but that wasn't the case here unfortunately."

SendGrid, acquired by comms API merchant Twilio in 2019, claims on its website to process "over 100 billion emails" a month and to have been the platform used to send an email to "50 percent of the world's email addresses" between June 2016 and June 2017.

Twilio SendGrid told The Register it "invests heavily in technology and people focused on combating fraudulent and illegal communications", adding it was "aware of the situation regarding the use of our platform to launch phishing email and our fraud, compliance and cyber security teams are engaged in the matter."

It added: "This situation is not the result of a hack or compromise of Twilio's network. We encourage all end users and entities to take a multi-pronged approach to combat phishing attacks, deploying security precautions such as two factor authentication, IP access management, and using domain-based messaging."

In a status update at 1727 Eastern (2227 UTC) last night, which is still marked "in progress," Namecheap said:

We have evidence that the upstream system we use for sending emails (third-party) is involved in the mailing of unsolicited emails to our clients. As a result, some unauthorized emails might have been received by you.

We would like to assure you that Namecheap's own systems were not breached, and your products, accounts, and personal information remain secure.

Please ignore such emails and do not click on any links.

The domain registrar added that it had "stopped all the emails (that includes Auth codes delivery, Trusted Devices' verification, and Password Reset emails, etc.) and contacted our upstream provider to resolve the issue. At the same time, we are also investigating the issue from our side."

In a report [PDF] in December last year, CloudSEK's BeVigil said 50 percent of 600 mobile apps it analyzed were leaking hardcoded API keys of not only SendGrid, but also fellow popular transactional and marketing email service providers Mailgun and Mailchimp. The researchers identified "40 percent of valid [SendGrid] API keys" across the sample.

In an unrelated incident from 2018, SendGrid exposed its own customers' email addresses publicly via what it termed a "network misconfiguration," allowing search engines to crawl the data in a bit of an own goal. The company told The Reg at the time it had updated its "headers to prevent any future search engine crawling of the Unsubscribe Groups feature," without explaining why the page didn't require login credentials in the first place.

That year, Namecheap also admitted that a custom implementation of DNS for its shared hosting systems had created an "unexpected gap" in its security by allowing clients using its Shared Hosting product to add a subdomain of any domain that was pointed to Namecheap's DNS cluster to their cPanel and manage it from there. It released a fix in February 2018.

Three years prior, SendGrid admitted that a much wider set of information – usernames, email addresses, and (salted and hashed) passwords for SendGrid customer and employee accounts – had been exposed after attackers stole login details to a SendGrid worker's account.

We have asked both companies for comment. ®

More about


Send us news

Other stories you might like