Phishing attack underway using namecheap.com infrastructure
twitter.comWe are looking into this now this now, it is most likely related to this https://cybernews.com/security/mailchimp-mailgun-and-sendgri... as we use sendgrid. We are shutting everything down asap.
Most likely related to API keys in plaintext on apps? Are you fucking kidding me?
> CloudSEK's BeVigil research team uncovered that about 50% of apps on Google Playstore from 600 examined are leaking API keys of three email service providers – MailChimp, Mailgun, and Sendgrid.
This is beyond embarrassing. First because you try to put the blame on a third-party, even naming them before having the full picture. Second, because you don't even understand how clickbaity that article is when it mentions:
> According to the report, the mentioned platforms are used by such companies as Spotify, Uber, Airbnb, RazorPay, Slack, Reedit, and Stripe. The API key leak could potentially lead to the exploitation of users' data.
They have nothing to do with amateur apps storing sensitive keys in the app as opposed to on their own servers. What are you guys even doing over there what the actual fuck?
I received one of these phishing emails, today, and also Namecheap's follow-up/apology. The phony email purported to be from DHL, which really stood out.
Both emails were handled by Sendgrid, passing spf, dkim, and dmarc. They appear to use the same dkim selector, though I suppose that isn't so important--just that the headers were convincing enough.
I just received two emails from renewals@namecheap.com claiming to be from MetaMask, asking me to complete KYC verification.
My first thought was “I guess MetaMask are trying to monetise”. Took me a minute to realise it wasn’t legit
E-mails are sent from namecheap.com and are using their e-mail template and their link redirecting system. Some of their infrastructure might be compromised.
Also received it.
The target domain is https://links.namecheap.com which goes to https://iterable.com/
DKIM-signed
Seems to be either DHL or Metamask.
What concerns me a lot being a customer is that they have been compromised for a couple of days already without taking proper actions: https://twitter.com/polmesegue/status/1623628920636559361