To be clear, the issue was with a 3rd party provider that we use to send our newsletter. None of our own systems or customer accounts where breached. I sent a follow up email to all users that were affected. The domains linked in the original phishing emails were also disabled. I apologize for this issue and to anyone it may have affected. We have also taken immediate steps to insure it will not happen again.
So… What happened? Did you get your keys stolen out of a CI or something? It just seems suspicious that you’d be the only business affected by this 3rd party provider.
If I have a business and I use a company like sendgrid, I have credentials to use that service. If some employee has access to that account (such as to send newsletters), and that employee’s credentials were lost or stolen, that doesn’t seems suspicious at all.
I don’t have any inside info here, but it makes sense. And as a namecheap customer, I see no reason to panic at this time.
Employees should use 2FA for their accounts and Sendgrid seems to offer this; for password stored in sending applications one can use combination of password and IP ACLs but I don't know if SendGrid allows to set IP ACLs for senders. While 2FA is not a panacea it significantly reduces rick.
One can send newsletters using a subdomain like news.acmecorp.com and have Sendgrid's IPs in SPF record only for this subdomain and not for the main domains (though most recipient would not notice change from say @acmecorp.com to @news.acmecorp.com).
I don't think this is unique to NameCheap, I've gotten both metamask and DHL emails from other lists I'm on, I assume from the same threat actor. I would assume that they're opportunistically using whatever mailing list they can gain access to.
They're actually pretty common, just like there are tons of metamask phishers on twitter. Those are just popular vectors because they're fairly broadly effective. Preventing spam and phishing like this is unfortunately a pretty big part of the job for anyone in the business of sending email. (source: engineering manager at a marketing platform)
This ridiculous registrar threatened to lock our domain and destroy our business within 24 hours for a defective DMCA notice that addressed one if our 40 million user profile subdomains. Our legal counsel advised to temporarily comply instead of arguing (although he did send them a nasty letter) to move over to a normal registrar from this cheap one, that i got when i was bootstrapping with no money because it was several dollars cheaper. It's not a business of a domain registrar (unlike a web host) to enforce DMCA notices.
So you found out how DMCA works and how much it sucks the hard way, eh?
You’re right it shouldn’t be the business of a domain registrar. But every provider in the chain that the copyright holders can reach to will end up responsible. You, the registrar, web host, ISP, everything.
Send your complaints to the US government and the copyright lobby. It’s a bullshit law. Namecheap complies with it because if they don’t, THEY get cut off by their own providers, and so on up the chain until the fines roll in.
My experience with namecheap is similar very bad too. They also sent me an email saying if you don't respond in a short time(24 hours) your domain will be revoked. Related experience: https://news.ycombinator.com/item?id=14139288 I moved my domains from namecheap to gandi.net and so far no problems. I would avoid namecheap like the plague for any large site. Of note, I had millions of unique vistors per month on that domain for a normal legal site.
ycombinator uses gandi.net too.
and even if they obey us and internation laws, threating to revoke a domain within 24 hours if no reply regarding an external complaint, with just an email warning is ridiculous and not how other reputable domain registrars work.
Why should it matter how many visitors you have? People with 3 visitors pay the same and can be also badly affected if the domain is yanked at a wrong time. Especially nasty if you run email on the yanked domain.
I agree with that.
I was just emphasizing the livelihood of multiple people and a whole business depended on answering a email from namecheap within 24 hours due to an complaint they received.
Abusive DMCA takedowns are unfortunately extremely easy, very time consuming to report, and seemingly very rarely have any action taken against the person who falsely claimed. Not excusing Namecheap here, what they did was totally shit.
Heroku did the same thing to me for same reason - completely shut down my entire account with several revenue generating websites with zero notice.
We are contacting you from the Namecheap Legal and Abuse department regarding your “XXXXX” Namecheap account.
We are in receipt of a copyright infringement notice pursuant to 17 U.S.C. §512 of the Copyright Act, requesting that we disable allegedly infringing material that appears on a domain hosted in your account (“Domain”):
xLINKSx
As a hosting service provider, Namecheap complies with the Digital Millennium Copyright Act (“DMCA”). We would like to help you avoid any service interruption. Please review the DMCA notice that we have included in this communication.
If you do not have the authorization to host the alleged disputed content, and if you are not authorized to use the disputed content, you will need to remove the content within 72 hours, or we may be required to suspend your hosting account under DMCA guidelines.
In order for us to consider a case resolved, the reported link(s) is to show the '404 Not Found' error/suspended page or redirect to the main page of the website.
If you believe that the identification of this infringing content is in error, we suggest that you contact the reporting copyright owner to resolve the matter. If the reporting copyright owner agrees there is a mistake, ask them to email Namecheap at dmca@namecheap.com.
If you are not able to come to an agreement with the reporting copyright owner or if you disagree with the copyright claim, you may submit a DMCA Counter-Notice to Namecheap within ten (10) business days of the date of this email. The Counter-Notice must comply with the requirements of the DMCA and must contain the following points:
1. Your contact information, including name, address, and telephone number, as well as facsimile number and email, if available;
2. A statement that, under penalty of perjury, you have a good faith belief that the material was removed or disabled as a result of a mistake or misidentification of the material to be removed or disabled;
3. Identification of the material that has been removed or to which access has been disabled, and the location at which the material had appeared before it was removed or access was disabled;
4. A statement that you consent to the jurisdiction of the United States District Court in which the address you provide is located, or if your address is outside the United States, for the judicial district of California;
5. A statement that you will accept service of process from the person who provided the initial notice or an agent of that person;
6. A physical or electronic signature by you or your agent.
The DMCA Counter-Notice should be sent either via this ticket by replying to our notice or to Namecheap.com Attn: Legal Department, 4600 East Washington Street, Suite 305, Phoenix, AZ 85034, USA, Facsimile:
Once a valid DMCA Counter-Notice has been submitted, Namecheap would provide a copy of the Counter-Notice to the reporting copyright owner. In addition, the DMCA requires that you remove the disputed content for at least ten (10) and not more than fourteen (14) days from when the Counter-Notice was served. Thus, Namecheap will advise the complaining party that the listing will be reinstated within ten (10) days and will remain so unless we hear from the reporting copyright owner that he or she has filed an action against you under the DMCA in a court of competent jurisdiction for copyright infringement and is seeking a court order to restrain you from publishing the disputed content.
By submitting your Counter-Notice to Namecheap, you agree to waive, and hereby do waive any legal or equitable rights or remedies you have or may have against Namecheap with respect to any Counter-Notice you send, or claims regarding any aspect of the disputed content and its publication and/or Namecheap's action in implementing a takedown or re-establishing the content, and you agree to indemnify and hold Namecheap, and its owners/operators, affiliates and/or licensors, harmless to the fullest extent allowed by law regarding all matters relating to your sending of a Counter-Notice.
If you feel you received this notification in error, please contact us at with more information as to why. We do apologize for any inconvenience this may cause you.
This proliferates the same confusion that your company has. The note you quoted is about hosting accounts ("hosting service provider"). We did not host anything with you, we only registered a domain. This notice does not apply. When i get to my laptop i will dig out the original notice from you and the response from our counsel.
I had clicked on the DHL one link. It took me to a site which looked like DHL, and in the next step, chrome refused to load the website. Is there any impact on folks on clicked on the links? I never entered any info as such, so not sure, but looking for more information on whether I should be concerned.
I assume it was a phishing site where the threat came if you actually provided them with details
(I didn't receive the DHL one, but did test the Metamask link in a safe browser environment. It was just a phishing site to try to get people's crypto credentials)
I never received an email, but just today received spam on an email address only used with namecheap. You might want to check your logic for what was impacted.
why is a company like namecheap not servicing their own email servers? what a cop out.
I've also read about you not wanting to update 2FA systems... another cop out
I wonder how many people got caught and ruined by this scam, what if you are behind it?
you don't deserve to be in business.
Mindless comments like these are not useful to the discussion. You are speculating on something that didn’t even happen, if indeed it’s just a newsletter provider that got beached.
Namecheap is still responsible for the third parties they work with. But nobody “gave your password”.
Namecheap is still reasonably cost competitive. I use them for a few domains I own and haven’t had any major issues and found the price closer to other well known competitors.
I alway compare prices at domcomp.com Over the time, most of my 15 domains (mixed tlds, .com .net .us .xyz .in etc) got moved over to cloudflare & dynadot, with them both having cheaper renewals.
Until you try to put a single NS record on your domain. Then you have to cough up the dough for a business plan. Utterly laughable and why I moved off Cloudflare for my domains. NS records are free on Namecheap and Porkbun.
Is it that difficult for you to comprehend brand names? It might have been accurate at some point, but times grow and brand names aren't meant to be taken literally.
Ser, your name is satoshiiii, so am I supposed to think you are the real Bitcoin creator? or are you straight up lying to other users?
Can you please clarify how exactly the decision making process occurred to give a 3rd party email provider a copy of your private DKIM signing key for the domain "namecheap.com" ?
The emails could not have gone out with DKIM-signature and successfully validated by openDKIM at my receiving MX/SMTPD against the public half of the key in your DNS TXT record for your DKIM key, unless you had given them access to the private key.
Did the persons who are responsible for creating and maintaining your DKIM public/private key pair and its selectors directly give the key to some third party (sendgrid, mailchimp, whatever) type email newsletter services, or were they ordered to do so by somebody else in Namecheap management?
Or, did the persons responsible for your authoritative DNS zone for namecheap.com insert an additional DNS TXT record for the DKIM key used by a 3rd party service?
While I don't know the details of the third party at name cheap, it's pretty common to have a bunch of third parties with their own DKIM keys and just trusting and including their public keys on your DNS zone. Nobody sends all their own mail, your service desk, support software, ticketing system, alerting system, collaboration provider all have DKIM keys and SPF records you're adding to your zone and they just control the keys for their own input.
This means that if they get pwned, it's their ability to send mail on your behalf that gets abused, not some key stealing and DKIM impersonation (and why would they bother if a perfectly fine emailing system is already open and ready to spam the crap out of everyone).
I received one of the phishing messages as well as the follow up / apology. An interesting wrinkle is that both were handled by sendgrid and used the same dkim selector. I would guess that a set of sendgrid api credentials shared with some 3rd party service was compromised.
- One of our domains had a DKIM trust with Mailgun (3rd party)
- Mailgun was integrated with a planning service (4th party?)
- Planning service was integrated with a CRM (5th party?)
- CRM was integrated with a website (6th party?)
Website got pwned, spam ensues using the entire chain all the way back to our domain. This was a while ago but I think the website was pwned, leaked API credentials for the CRM, those were locked to only read the address book for sources (not even destinations! but '*' was allowed...) but because the software was crap the planning/calendaring service was registered as a 'source', which included API creds. The planning service itself was pretty good, no further grab-keys-via-API, but using what was already allowed you could send raw MIME messages and it would just use the Mailgun API it had access to.
Luckily for me, I was on a prometheus spree and had an exporter grab the Mailgun metrics every few minutes (Ironically to support the CRM team because they didn't have any good metrics of their own and did like to blame everyone else), so while it was configured to look for dips, it also triggered on spikes because those tend to end with dips too.
I think in the end nobody learned from it because every team/vendor covered their ass with "well we only run it in datacenters with firewalls so this is the cloud at fault" and I don't think anyone got flak for it (but some definitely deserved a fair bit).
NameCheap have been training their customers to be vulnerable to this for years. When your account gets suspended (in my case for using VPN to login) they send you an email telling you to go to a privately registered domain (not referenced on their site) and do a cam show with your credit card.. Support is so slow they have already shut down your account before you get a response. I lost a domain and only got a partial refund.. dreadful service, and expensive compared to alternatives.
I am fairly certain I have used a VPN to connect to namecheap.com and I have never had this issue. This sounds as if you got scammed by another actor or made this up.
validation.com was the site (still anonymously registered domain) they were sending me to, and they confirmed from a support ticket that the email request was sent by them, you can see on the site an example of the credit card cam show they require.
The support ticket took 5 days and they shut down my account later that day, actually while i was trying to get a buggy old webcam to work.
Checked my emails, didn't find anything, but looking through gmail spam box, I got a DHL one:
Subject: Your parcel was not able to be delivered
Sender: contact <hello@namecheap.com>
> Dear Client,
> We regret to inform you that your parcel was not able to be delivered on the specified date, xx/02/2023. The parcel is currently located in the DHL warehouse near your town.
> The reason for the delay was that the sender did not pay the necessary fees for the delivery. To avoid the parcel being returned, we ask that you pay the fee of 6.xx USD. You can track your parcel and pay the fee by clicking the tracking button.
> Track and Pay >>
> DETAILS
> Order number: xxxxxxxxxxxx
> Total: (x.xx USD)
> Delivery is planned between: xx.02.2023 - xx.02.2023
> Once the fee is paid, we will be able to deliver the parcel . We apologize for any inconvenience caused and thank you for your understanding. Sincerely,
Tried following the link in TOR and on a virtual machine, both get just a 2 word "Unauthorized Access", but it redirects to: hxxps://accomplish-delivery . mysafebridge . info/WorldwideDelivery0/auth/dhl/index.php?utm_source=Iterable_Marketing&utm_medium=email&utm_campaign=MKTG_CRM_Welcome_Hosting_D5_WF_20221118
I found the Metamask email in my spam, with the subject:
"MetaMask : Your wallet is about to be suspended", with the headline of the mail "Your wallet is about to be suspended
Apply for KYC Verification"
Hopefully no one falls for these, sneaky to hind the redirect behind the links.namecheap
I think the redirect being behind links.namecheap was an artefact of the compromised mailing service rather than intended behaviour: the body text of the Metamask email displayed a fake metamask URL https://verification.metamask.io/KYC?[snipped ID] that the link.namecheap.com link was wrapped around
Did make it clear that something belonging to Namecheap had been compromised though...
Just received a bunch of cryptocurrency phising spam from their domain. Definitely pretty interesting, and they were actually fairly well done with a proper link text, but an incorrect link.
The Metamask spamming campaign primarily use their own list -- compromised credentials are mainly used to get SMTP access and then spam away until they get caught.
Fuck NameCheap. I have no sympathy towards them after they decided to kill the service for my account, just because I happened to be born in Russia, without even refunding.
Ironically, after all that high morals grandstanding, they are still sending me notification emails "reminding to prolong a yearly subscription". Like, WTF.
That is a very wishful assessment of my identity, ironically given that I've never ever even discussed quantum mechanics on HN.
But yeah, I do act bashing when discussing politics. Do you feel this is somehow undeserved? I don't really see anyone else acting friendly - it's all just one ignorant two minutes hate after another.
Besides, English is obviously not my native language.
English is not a first language for many people on this site. The tone of conversation is what's important.
> I don't really see anyone else acting friendly - it's all just one ignorant two minutes hate after another
I just dont understand why you frequent a site that constantly raises your blood pressure so easily and considers the entire userbase as ignorant, unless you want to push a narrative. You can engage in a debate without name calling and being constructive. Your comment history is just bashing all the way. There is a difference between a debate and a fight.
Not everything is a narrative and not every omitted fact or forgotten nuance visible from a perspective of a local is "apologism". Back again, kinda hard to act friendly when people are so systemically discriminating against anything that doesn't correlate with their impressions.
What is so wrong with my comment history that you are now accusing me of a thoughcrime?
It's just that your comment history is also full of, let us call it "opinionated", arguments, but I'm not acting that you are a worse person than me. Why are you acting like you are a better person than me I wonder?
I am saying that being mad or surprised over a company with significant employee base in Kharkiv not wishing to conduct any business with Russian (Located in Russia, not tested by DNA, mind you) customers whilst their city was literally being bombed by Russia is very tone deaf.
And /on top of that/, the fact that almost a whole year of war later you spread Russian propaganda about "we don't know the whole truth, think about what US did in 'nam!", is just cherry on the cake.
Oh, "tone deaf", nice. Everything is a "tone", a "narrative", a "propaganda" these days, ugh. Well sorry for being an individual and not singing in unison.
> And /on top of that/, the fact that almost a whole year of war later you spread Russian propaganda about "we don't know the whole truth, think about what US did in 'nam!", is just cherry on the cake.
You've just assigned me an image of your ideological enemies and projected the rest from there. Your impression is your problem, not mine - this is clearly not about my comments or their specific contents (because their substance has nothing in common with your assessment), this is you grinding your teeth over the fact that some people may discuss points you don't like.
> This is me stating directly that you are a bad person
Okay. I don't take people who label every other random sampled inconvenient piece of information or opinion as "consistent spreading of propaganda" seriously anyway. Don't suppose anyone actually does, this isn't really a healthy thing, seems kinda Orwellian.
You’re a troll, one hundred percent and you are now arguing in bad faith. Calling out propaganda for what it is isn’t a bad thing and I'm happy most people here are seeing through your lies. Maybe stop watching RT news so much.
Jup, got one as well. That the fee was in USD immediately triggered my mental spam alert (living in Europe). But when checking the headers I could not find any indication this was a spoofed message. That the link was also first a valid link to namecheap made it also harder.
I was still very paranoid so I opened it in a non-Javascript, private browser but it seems that my DNS with anti-spam filters already picked it up as the destination was not being resolved.
Seems like the hackers also had access to at least some customer data. Several people I know who were also Namecheap clients, including me, received those emails. Whether that data was also stored with the upstream provider remains to be seen. Might be an even bigger deal.
What customer information did you store with that provider? Just names and emails, or was there anything else that attackers may have been able to access?
Mine was addressed with my full name in the "To:" field, so they do have our full names (but just didn't mail-merge those into the body of the message).
You and who else? If it's one of your employees credentials getting compromised this excuse isn't going to age well and will do more harm than good. I assume you're using a big provider and there would be news of others being affected.
Got one today. Funny I was actually expecting a package. Of course the email is for suckers as it has more than enough clues about being scam but I guess some poor souls might actually fall for it.
>Of course the email is for suckers as it has more than enough clues about being scam but I guess some poor souls might actually fall for it.
I wonder whether that type of comment is in line with Hacker News Guidelines.
In any case, blaming or demeaning scam victims (what you call "suckers" and "poor souls") only adds to the psychological damage that those people experience. There are plenty of studies, recommendations and campaigns on this issue. For example, the UK's Financial Conduct Authority has a whole section in their website https://www.fca.org.uk/scamsmart and have been running TV ads to help protect pensioners.
The clues in the Metamask and DHL phising emails may have been obvious to you and many other Hacker News readers. I received them and quickly noticed they were phising messags. However, having the skills to spot (and stop) this type of messages doesn't mean we are always able to do it. A recent blog post by Kev Quirk, an infosec expert, is a case in point https://kevquirk.com/i-was-nearly-phished/
>"In any case, blaming or demeaning scam victims..."
The demeaning in this particular case goes for the authors of the scam. The clues are in plain sight. They did not bother to hide it at all. I am not blaming victims.
A lot of smaller charities donation pages are readily abusable to "validate" card numbers, bruteforce CVV number, expiry, etc.
A few local charities that all had their sites running the same shit ended up getting absolutely hammered with charge back fees a while back, someone had been abusing their pages to check and crack card numbers to use.
Donation pages seem to be the easiest to abuse based on the data I've seen.
God damn it, my main business email account is namecheap. I am so sick of them, they let so much spam in to my inboxes as well.
If I have a domain from namecheap, and an email address with that domain, can I transfer it to something solid like outlook or gmail? My idea of how email works is really fuzzy.
> If I have a domain from namecheap, and an email address with that domain, can I transfer it to something solid like outlook or gmail? My idea of how email works is really fuzzy.
Yes you can. You'll need to:
- Setup the account with the new provider (note: that most providers including I believe outlook and gmail will charge a monthly fee for using a custom domain). I recommend Fastmail.
- "Add the domain" with the provider (which will mean they're expecting mail from it on their end
- Update a bunch of DNS records to point to your new provider. This will include MX records as well as things like DKIM and SPF. The provider will likely tell you what you need to set in as part of the previous step.
Ultimately a DNS record tells other email servers how to send email to your domain. So you just need to get an email service at another provide, and update your DNS records. Most providers have instructions on how to do this.
I just wanted to add another note in favor of Fastmail. I switched from Gmail this year as part of an early new year's resolution and have been far happier with their service thus far. Especially with how aliases are handled.
I use and like Fastmail but yes their spam filter both catches legit e-mail and lets some spam through. I’d say overall it’s a bit more of the former than the latter.
1) you will need to point the DNS MX records to office365 or gsuite or fastmail or any other service
2) sign up with that service and input the domain name, do the rest of the configuration.
There is a huge blurry overlap between domain registrar and hosting services these days. It sounds like you are using Namecheap for both. I would highly recommend using domain registrars as ONLY domain registrars and having other things hosted elsewhere.
Sendgrid says they weren't hacked. It sounds like there was some sort of intermediary party sitting between NameCheap and Sendgrid that got hacked. Maybe.
Out of curiosity, what are these better alternatives?
I think many viewed NameCheap as the better alternative to GoDaddy in the first place.
Apparently some were successful with Porkbun for their domains, but I don't think they offer e-mail, hosting as well as a bunch of other stuff NameCheap has.
There's also Google Domains I guess, but some are cautious about using too many of Google's services, given automated bans.
I'm sure that good alternatives exist out there, but that might mean using a bunch of separate services instead of one (which can be okay), for example: Porkbun for domains, Fastmail for e-mails, Hetzner for servers and so on...
Edit: I was wrong about Porkbun, apparently they also provide e-mail and hosting now. Though their front page also has a warning about phishing e-mails.
I saw a lot of people recommending Gandi.net as a Namecheap alternative the last time there was a controversy, and I've recently switched my domains over to them myself. Gandi seems to be a solid provider that's maintained its good reputation for a long while.
