Multiple cryptocurrency platforms were left scrambling to regain control of their DNS records last week, after hackers compromised multiple domain names registered with Squarespace.
The attacks started on July 9 and impacted domains that were transferred to Squarespace after the domain registrar acquired domain registrations and customers from Google Domains last year.
Squarespace has been migrating users for roughly 10 million domain names purchased in the transaction, but its migration method contained a flaw that allowed hackers to take over accounts and modify DNS records for those domains.
According to Security Alliance, to make the transition as seamless as possible, Squarespace migrated all email addresses from Google Domains, likely assuming that they would be used by domain owners and collaborators to create Squarespace accounts.
By pre-linking the emails to the domains, Squarespace essentially allowed users to immediately have access to all their domains, but did not account for the fact that attackers could try to sign up for accounts before the legitimate email holders.
Furthermore, Squarespace does not require email validation when creating accounts protected with passwords, which has allowed attackers to create accounts by guessing the email addresses that might have been migrated with the domains transferred from Google Domains.
This essentially enabled the attackers to take over Squarespace accounts and gain full access to the associated domains without verifying the email addresses associated with those accounts.
Last week hackers exploited this flaw to target a dozen domains, including crypto platforms such as Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains, for DNS hijacking.
Essentially, after gaining access to the Squarespace accounts associated with these domains, the attackers modified DNS records to redirect site visitors to potentially malicious pages, and likely attempted to escalate their privileges.
Depending on the permissions associated with the hijacked accounts, the attackers could transfer domains to other Squarespace accounts or another registrar, set email forwarding, or add new domain managers.
Furthermore, because Squarespace is a Google Workspace reseller, if a workspace was purchased from Google Domains, it was transferred to Squarespace.
In the context of last week’s campaign, attackers could have abused this to create a new Google Workspace for the domain, or hijack the Google Workspace associated with a domain, allowing them to add new accounts, devices, or browsers, sync data, disable strong authentication, and the like.
The potential impact of this campaign, Security Alliance notes, could have been dire, as there are “hundreds of cryptocurrency domains controlling access to billions of dollars of assets” that have been migrated from Google Domains to Squarespace.
The crypto platforms that confirmed impact from the incident said they have regained control of accounts and that no evidence of further malicious activity has been observed. As of Monday, Squarespace no longer allows users to create new accounts using only an email address.
Owners or websites migrated to Squarespace as part of the Google Domains deal are advised to log into their accounts and enable two-factor authentication, review contributor accounts and remove those that are no longer necessary, revert any unauthorized changes in Google Workspace, revert changes to DNS records, and review domain settings for any suspicious configurations.
Related: Attackers Use DNS Tunneling to Track Victim Activity, Scan Networks
Related: Researchers Flag FBot Hacking Tool Hijacking Cloud, Payment Services
Related: Hackers Can ‘Pre-Hijack’ Online Accounts Before They Are Created by Users
