Squarespace Hacked — DeFi Wallets Drained (Imaginary Money Stolen)
Cryptocurrency fans lose their worthless tokens via phishing attacks on decentralized finance sites.
Hundreds of domains at Squarespace were left vulnerable by a gaping security hole: According to researchers, NYSE:SQSP allowed anyone to claim and hijack any domain migrated there from the now-dead Google Domains service. Naturally, the attacking scrotes targeted cryptocurrency sites (because mostly they’re run by people who don’t know what they’re doing).
Yep, it’s yet another story of weak DeFi security. In today’s SB Blogwatch, nothing of value was lost.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Metallica in Punjab.
DeFAIL
What’s the craic? Bill Toulas reports: DNS hijacks target crypto platforms registered with Squarespace
“Attack on SquareSpace accounts”
A wave of coordinated DNS hijacking attacks targets decentralized finance (DeFi) cryptocurrency domains using the Squarespace registrar, redirecting visitors to phishing sites hosting wallet drainers. … Those who entered details on the phishing sites need to take immediate action, … including revoking smart contract approvals, changing passwords, and transferring funds to a new wallet.
…
Although the exact cause … hasn’t been determined yet, the compromised domains were all originally registered at Google Domains, which were later force-transferred to Squarespace in 2023 as part of an asset purchase agreement with Google. … However, as part of the transition to Squarespace, multi-factor authentication was turned off.
…
Other Squarespace customers have also reported receiving suspicious password reset emails, which could indicate that this is a wider credential attack on SquareSpace accounts. [We] contacted Squarespace for a comment on the situation, but we are still waiting for a response.
What went wrong? samczsun, tayvano and AndrewMohawk know What Went Wrong:
“Effectively stealing the domain”
Contrary to early reports, the attacks were not caused by user negligence, such as reusing weak passwords or not enabling MFA. … By default, Squarespace does not require email verification for new accounts created with a password. … As it stands, Squarespace is simply not a viable option for anyone [who] requires deeper … control over their domains.
…
Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain before the legitimate email holder created the account themselves. Unfortunately, many domain contributors never created their Squarespace accounts either because they forgot that they were granted contributor access, or they didn’t expect inaction to have security implications, making it quite easy for a threat actor to beat them to the punch.
…
If you’ve gained unauthorized access to a Squarespace account [and] have “owner” permissions, you can simply transfer the domain, … effectively stealing the domain itself. [Or], if you have “manager” permissions, you can … edit the DNS records. … Having an administrator Google Workspace account allows the threat actor … access to historic emails, everything in Google Drive, Google Calendar, Google Docs, etc. [and] to pivot to third party services such as custody services or other financial accounts.
ELI5? dboreham explains like we’re five:
What [Squarespace] did was: Put a zillion DNS registration accounts into a limbo state where anyone who … could guess the email address associated with an account, could … gain authentication credentials valid for the account, … without any verification that it came from the owner of the associated email address.
Whodunnit? Ido Ben-Natan talked to Sebastian Sinclair: Hundreds of DeFi protocol front ends are still at risk
“Inferno Drainer group”
The incident … involved attackers targeting DNS records hosted on Squarespace. Those records were redirected to IP addresses associated with known malicious activities [hosting] a page that drains the funds from connected wallets.
…
“The association to Inferno Drainer is clear [from the] shared onchain and offchain infrastructure,” Ben-Natan said. “This includes onchain wallet and smart contract addresses as well as offchain IP addresses and domains linked to Inferno.”
…
It operates by prompting users to sign malicious transactions that give the attacker control over their digital assets. … The Inferno Drainer group has been active for some time, targeting various DeFi protocols and exploiting different vulnerabilities.
Ah, the curse of Google’s dead products. WillPostForFood sounds hungry:
Clearly Squarespace is the guilty party here. But man, I am still upset Google shut down Domains, and can’t help but direct some ire their abandonment of yet another product.
R.I.P., Google Domains. Dennis agrees:
It’s a shame that Google just dumped us on that company. They have done it so many times before that I thought I learned my lesson.
I’ve been trying to move my domains from Squarespace after I reviewed their control panel. And it’s … a pain to migrate your domains.
It’s not directly Google’s fault, though. Squarespace deserves most of the blame—and ecofeco isn’t surprised:
Having used Squarespace a few times on behalf of clients, it’s an obvious garbage ecosystem. So no surprise to me it has gaping holes.
Lest we forget, the “victims” are imaginary-money sites. As Retired Chemist observes, that scene is Dunning-Kruger AF:
Crypto companies. You would think that they would be both concerned about security and reasonably savvy about such things. The real world never ceases to amaze me.
Meanwhile, the award for “best nominative determinism” goes to cynicalsecurity: [You’re fired—Ed.]
Squarespace spends a lot on marketing. They probably ran out of money on engineers.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Creativity103 (cc:by; leveled and cropped)