Security Alert: Phishing Campaign Targeting Rebel.com Customers

Incident Report for Rebel

Postmortem

Executive Summary

On February 5-6, 2026, Rebel.com identified a sophisticated phishing campaign targeting our customers. The attackers used a deceptive "WHOIS Accuracy Verification" lure to direct users to a fraudulent login page. As of February 6, 11:55 AM EST, the malicious site has been successfully taken down and the threat has been neutralized.

1. Incident Overview

  • The Lure: Clients received emails appearing to be from Rebel Support, claiming their domains would be placed "on hold" due to missing WHOIS information.
  • The Technical Vector: The emails contained links to a third-party hosted site (apps.emailerstack.com) designed to mimic the Rebel.com login dashboard to harvest credentials.
  • The Source: Our analysis of the email headers identified the originating traffic from a specific external mail relay service.

2. Our Response Actions

Once the first reports reached our support queue, our security team initiated the following:

  • Provider Escalation: We worked directly with the upstream hosting provider to provide forensic evidence of abuse.
  • Domain Suspension: Within 24 hours of our formal report, the fraudulent domain and associated hosting account were suspended.
  • Status Monitoring: We maintained a real-time status page update to keep our community informed throughout the investigation.

3. Lessons Learned & Improvements

While the external threat was neutralized quickly, this incident highlights the evolving nature of social engineering.

  • System Hardening: We are reviewing our internal alerting systems to flag similar deceptive URLs faster.
  • Community Reporting: The speed of this takedown was made possible by clients who provided Full Email Headers. This data is the single most important tool in our defense arsenal.

4. Moving Forward: Your Security Checklist

To ensure your account remains secure against future attempts, we recommend three standard practices:

  1. Switch to App-Based 2FA: SMS-based codes are vulnerable to interception. Please switch to a TOTP Authenticator App (like Google Authenticator or Authy) in your Rebel security settings.
  2. Verify the URL: Always ensure you are on https://www.rebel.com before entering credentials.
  3. Report, Don't Click: If an email seems suspicious, do not click the link. Forward the email headers to our support team for verification.

Final Statement

Protecting your digital identity is our highest priority. We thank our community for their vigilance and quick reporting, which allowed us to resolve this matter swiftly.

The Rebel Team

Posted Feb 06, 2026 - 11:55 EST

Resolved

The fraudulent site apps.emailerstack.com has been successfully suspended and the threat neutralized.

Next Steps for Impacted Users:

If you interacted with the phishing link, please take the following immediate actions:

- Reset Password: Change your Rebel.com password immediately.
- Enable 2FA: We strongly recommend switching to an Authenticator App for enhanced security.
- Run Scans: Perform a full security scan on your device (Windows Defender, Malwarebytes, or Play Protect).

Thank you for your patience while we worked to resolve this incident.
Posted Feb 06, 2026 - 11:46 EST

Update

We are continuing to work with upstream providers to deactivate the fraudulent site apps.emailerstack.com.
Security Recommendations for All Users:

If you have interacted with the phishing link or provided any information, please follow these steps based on your device:

• Reset your Rebel.com Password immediately.

• Security Scans:
Windows Users: Run a full scan using Microsoft Defender: https://support.microsoft.com/en-us/topic/how-to-start-a-scan-for-viruses-or-malware-in-microsoft-defender-e98663f1-8827-4abe-b9ce-fb2664201f29

Mac Users: We recommend a scan with Malwarebytes for Mac: https://www.malwarebytes.com/mac or following Apple’s Security Guide: https://support.apple.com/en-ca/guide/mac-help/mh40596/mac

Chromebook Users: Review and remove any unknown browser extensions: https://support.google.com/accounts/answer/9924802

Mobile Users: Run Google Play Protect (Android): https://support.google.com/googleplay/answer/2812853 or check for unauthorized profiles (iOS).

• Upgrade 2FA: We strongly recommend switching from SMS to an Authenticator App (TOTP) for better protection.
Posted Feb 05, 2026 - 13:56 EST

Update

Update Message: "Update [Feb 5, 2026 - 1:02 PM EST]: Our security team has positively identified the source of the phishing emails (noreply@email.mailroll.mx) and the malicious destination site (apps.emailerstack.com).

We have initiated formal takedown procedures with Google Safe Browsing and the upstream domain registry. Users may soon see a 'Deceptive Site' warning when attempting to visit the malicious link. We continue to monitor the situation and will provide further updates as the site is successfully taken offline.

Reminder: Rebel.com will never ask you to verify your account credentials via a non-Rebel URL. Please remain vigilant.
Posted Feb 05, 2026 - 13:02 EST

Monitoring

We are currently tracking a phishing campaign where emails are being sent from noreply@email.mailroll.mx masquerading as Rebel.com Support. These emails claim that your domain will be 'put on hold' and request that you verify your contact information via a link to apps.emailerstack.com.

This email is NOT from Rebel. If you receive this message:

- DO NOT click any links.

- DO NOT provide your account credentials.

- Mark as Spam and delete the message immediately.

Our security team is working to have these malicious sites taken down. If you have already entered your information, please reset your Rebel.com password immediately.

Thank you,
The Rebel Team.
Posted Feb 05, 2026 - 12:32 EST
Current Status Powered by Atlassian Statuspage