someone tried to hack into my SendGrid account

a few days ago, i got this email claiming to be from SendGrid.

a phishing email claiming to be from SendGrid

at first, it looks like a normal email, right? but wait, that's not SendGrid who sent it to us — what's this "money factory" got to do with anything? and why would SendGrid suddenly start emailing me again when i haven't used their service in years, anyways? maybe i ought to check out the site that sent this email, just for kicks.

a screenshot of the page at URL that sent the email. it's some online casino crap.

well that's definitely not SendGrid. eh, probably just a mistake or something. let's ignore it and move on, I guess?

oh boy, more emails today! i bet they'll be something important this time.

three more phishing emails just from today, all different domains

oh.

oh no.

my first instinct was honestly to assume that maybe SendGrid somehow fucked something up. but then i finally bothered to read the contents of these emails, and noticed the obvious part that i missed before.

a button that says Manage API Preferences

oh hey, a link! i wonder what fun we'll find by clicking on it?

fake Cloudflare CAPTCHA

a fake CAPTCHA? interesting. it's not a real Cloudflare one, all the sizes are messed up and it just accepts you through every time once you click. and here i was hoping for one of those fake CAPTCHAs that actually just tells you to download some malware. anyways, the comically large "sendgrid.com" when we're clearly not on that domain tells you the real reason they added this part. onto the next page!

fake Sendgrid login

ooh, that logo is Crunchy. and also outdated! how about we take a look in the inspector for laughs?

a bunch of crap being printed to the console

holy ChatGPT, they left the debug prints in and everything.

after looking through the entirely unobsfuscated and nicely commented code, here's a rundown of what is actually being done here.

  1. show a fake Cloudflare Turnstile. while doing this, it verifies that you are a target of the campaign. if you don't have the correct encryptedEmail token attached to your link, you get redirected to Google.
  2. once the user clicks on the fake Turnstile, show them the login page.
  3. send pilfered login data to a (painfully slow) server at discoversend-grid[DOT]com/api/ to verify if it actually works, and ask the user to try again if it doesn't.
  4. if the username and password are validated successfully by the attacker's API server, ask for more info, whatever the attacker's server tells it to. either:
    • ask for the user's 2fa info (email, SMS, and TOTP are handled entirely separately for some reason) and send it off to the attacker's server like before, and then use the stolen credentials to issue new API keys to spam with or whatever
    • literally just ask really nicely for an API key into the user's account. because that's totally a method of two factor authentication people use?

so yeah, that was fun to poke through! thank you to vibe coders for not bothering to remove the comments from the code you publish. when i'm the first person to ever lay eyes on it, those comments really help me figure out what you're up to. anyways, don't go clicking on links in sketchy emails, kids! and definitely don't give those sketchy sites API keys to your email account.

P.S.: while there was an alleged breach of SendGrid emails posted about last year, I don't think this is related to that. notably, the only other person i saw complaining about this was also getting the emails sent to an address that's "sendgrid@[DOMAIN]", which suggests they're probably just spraying and praying to anyone who's got sendgrid DKIM keys on their domain.