Namecheap denies system breach after email service used to spread phishing scams

Domain name registrar and web hosting company Namecheap denied that its systems were breached after some customers received scam emails from the platform on Sunday evening. 

In notices published on Twitter and on its website, the company explained that SendGrid – the system they use to send marketing emails and account information to customers – was abused to send fake package alerts from DHL and scam emails related to crypto platform MetaMask.

Multiple customers took to Twitter on Sunday afternoon to share screenshots of the strange emails, with many noting that the messages included links that took users to separate pages that attempted to steal credentials. 

@Namecheap could you explain why I am getting scam DHL emails from your domain? pic.twitter.com/x6ny8CFfWL

— edan (@y0edan2) February 12, 2023

But in a statement on Sunday evening, Namecheap said their systems were not breached and that customer products, accounts and personal information “remain secure.”

“Please ignore such emails and do not click on any links. We have stopped all the emails (that includes Auth codes delivery, Trusted Devices’ verification, and Password Reset emails, etc.) and contacted our upstream provider to resolve the issue,” the company’s support team said.  

“At the same time, we are also investigating the issue from our side. We apologize for any inconvenience during this issue and thank you in advance for your patience and understanding.”

In a later statement on Sunday night, the company said the mail delivery service “has been restored” and that customers “should receive emails from Namecheap as usual from now on.”

“We continue to investigate the issue with the mailing of unsolicited emails. We will keep you updated on the matter,” the company said.

The company did not respond to requests for further explanation about what happened. Twilio, the company that owns SendGrid, also did not respond to requests for comment. 

Several experts said these kinds of attacks were concerning mostly because access to a legitimate email account to send out phishing emails is a goldmine for criminals.

KnowBe4’s Javvad Malik explained that in the past, there have been situations where other mass email platforms like Mailchimp have been breached and used to send out phishing emails. 

“The particular danger these kinds of attacks pose is that these emails are usually whitelisted, thus bypassing gateway filters and having a high likelihood of successfully landing in people's inboxes,” he said. 

Phishing emails like the ones seen in Namecheap’s case are used for a variety of purposes by cybercriminals but most likely for Business Email Compromise attacks, which the FBI said caused more than $43 billion in losses since 2016. 

Dror Liwer, co-founder of cybersecurity company Coro, noted that the situation was more complicated in Namecheap’s case because the account was on a third party platform sending mass emails on behalf of Namecheap. 

“Account takeover controls must be placed on all platforms used by the organization as attackers will happily exploit any weakness they can find,” Liwer added.