Namecheap's outbound email flow compromised: valid rdns, spf, dkim and dmarc on phishes
Michael Thomas
mike at mtcc.com
Mon Feb 13 00:14:12 UTC 2023
It makes you wonder why they just don't rekey and put up a different
selector while deleting the compromised selector?
Yes, this is bad but it has a straightforward solution to the compromise
-- unlike compromised cert signing keys, natch.
Mike
On 2/12/23 4:01 PM, Eric Kuhnke wrote:
> Namecheap has updated their status page item to include
>
> "We have stopped all the emails (that includes Auth codes delivery,
> Trusted Devices’ verification, and Password Reset emails, etc.)"
>
>
> Yikes.
>
>
> On Sun, Feb 12, 2023, 3:54 PM Michael Thomas <mike at mtcc.com> wrote:
>
> I think that it might be appropriate to name and shame the third
> party, since they should know better too. It almost has the whiff
> of a scam.
>
> Mike
>
> On 2/12/23 3:49 PM, Eric Kuhnke wrote:
>> One very possible theory is that whoever runs the outbound
>> marketing communications and email newsletter demanded the keys
>> and got them, with execs overriding security experts at Namecheap
>> who know better.
>>
>> I would sincerely hope that the people whose job titles at
>> Namecheap include anything related to network engineering,
>> network security or cryptography at that company do know better.
>> Large domain registrars are not supposed to make such a rookie
>> mistake.
>>
>>
>> On Sun, Feb 12, 2023, 3:46 PM Michael Thomas <mike at mtcc.com> wrote:
>>
>>
>> On 2/12/23 3:40 PM, Eric Kuhnke wrote:
>> >
>> https://www.namepros.com/threads/concerning-e-mail-from-namecheap.1294946/page-2#post-8839257
>>
>> >
>> >
>> > https://lowendtalk.com/discussion/184391/namecheap-hacked
>> >
>> > It looks like a third party service they gave their keys to
>> has been
>> > compromised. I got several phishes that fully pass as legit
>> Namecheap
>> > emails.
>> >
>> > https://www.namecheap.com/status-updates/archives/74848
>> >
>> >
>> If they actually gave them their own private keys, they
>> clearly don't
>> get how that's supposed to work with DKIM. The right thing to
>> do is
>> create a new selector with the third party's signing key.
>> Private keys
>> should be kept... private.
>>
>> Mike
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230212/6d97231b/attachment.html>
More information about the NANOG
mailing list