Namecheap accounts compromised using the CyberVor’s archive

Hosting provider Namecheap warned its customers that hackers compromised some of its users’ accounts using the CyberVor’s archive of credentials.

Hosting provider Namecheap announced that earlier this week that hackers compromised some of its users’ accounts, apparently using the “CyberVor” collection of 1.2 billion usernames and passwords compiled by Russian hackers.  “CyberVor” (“vor” means “thief” in Russian) is the name of the Russian criminal gang which collected more than one billion passwords and  nearly 542 million email addresses.

The company Namecheap has published a blog post titled “Urgent Security Warning” to inform its customers that an abnormal load of login attempts was detected by its intrusion detection systems.

The company added that the majority of these login attempts have been unsuccessful, anyway some accounts have been compromised using the credentials belonging to the “CyberVor” collection.

“Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. Upon investigation, we determined that the username and password data gathered from third party sites, likely the data identified by The Register (i.e. not Namecheap) is being used to try and gain access to Namecheap.com accounts.”

“The vast majority of these login attempts have been unsuccessful as the data is incorrect or old and passwords have been changed. As a precaution, we are aggressively blocking the IP addresses that appear to be logging in with the stolen password data. We are also logging these IP addresses and will be exporting blocking rules across our network to completely eliminate access to any Namecheap system or service, as well as making this data available to law enforcement.” state the post.

The company is tracking all the IP addresses used in the cyber attack for the login attempts and are blocking them. The experts speculated that logins appeared to come from the record-breaking hoard of credentials collected by “CyberVor”.

The company NameCheap remarked that its systems weren’t hacked and that it is just warning its customers on illicit activities dicscovered:

“I must reiterate this is not a security breach at Namecheap, nor a hack against us. The hackers are using usernames and passwords being used have been obtained from other sources. These have not been obtained from Namecheap. But these usernames and passwords that the hackers now have are being used to try and login to Namecheap accounts.”

According to the post, the threat actor used a fake browser software in the attack to emulate the login process with one of the popular browsers available on the market (Firefox/Safari/Chrome).

“The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts,” Namecheap reported.

Namecheap has informed its customers that it is securing the affected accounts and it is contacting their owners requesting them improve the security.

“If you receive an email alert from us stating that your account has temporarily been secured, don’t worry. We’ve proactively taken this step as a security measure to help defend you against this attack. We will need you to verify your identity to us and we will then issue you with new login credentials, including a new, stronger password.”

Namecheap also suggests to its customers to enable two-factor-authentication for users’ accounts.

https://www.namecheap.com/support/knowledgebase/article.aspx/9253/45/how-to-two-factor-authentication.

As usual, let me suggest to enable two-factor authentication for the web services that implement it, carefully protect your passwords and avoid reusing them on multiple websites.

Pierluigi Paganini

(Security Affairs – Namecheap, cybercrime)