Security researchers are claiming a spate of DNS hijackings at web3 businesses is linked to Squarespace's acquisition of Google Domains last year.

The theory is that cybercriminals may have picked up on a flaw in the method Squarespace used to migrate Google Domains customer data over to its servers, allowing them to guess the email addresses associated with admin accounts and register the account for themselves.

The assessment was made by security researchers Samczsun, Taylor Monahan, and Andrew Mohawk in a report published over the weekend. In it, they say the attacks began on July 9 and all affected organizations had their domains migrated to Squarespace following the acquisition.

The Register approached the website builder, domain registrar, and serial sponsor of YouTube videos for its take on things but it didn't immediately respond.

According to the researchers' report, Squarespace pre-registered a bunch of email addresses it thought would be useful to have set up as domain admins following the migration without checking if the email accounts existed. The two categories of email addresses it selected for this included the address linked to the original Google Domains account and any contributor addresses associated with that domain.

"It appears that Squarespace implemented this by pre-linking all emails to domains, regardless of whether the account already exists, likely because they wanted users to be able to OAuth with Google and immediately have access to all their domains," the researchers say in the report.

"However, because Squarespace also does not require email validation to create an account using password authentication - ie, you can create an account for bill@gates.com without owning the email address - the threat actor simply created accounts with all potential emails that might be migrated with a domain but had yet to be registered. Once the threat actor found a valid email, they had full access to the associated domains without having to verify the email address."

The attacks and their goals

Many web3 firms have acknowledged foul play on their systems in recent days. The attacks are said to unfold when the crims guess one of the pre-registered admin email addresses, register the account for themselves, and then use it to gain admin access and change DNS record data.

Changing DNS record data allows attackers to reroute visitors to a website's legitimate URL to phishing sites which, if designed well, won't arouse too much suspicion on the user's end. 

In the cases targeting cryptocurrency and blockchain companies, the researchers say the phishing sites are designed to steal tokens and other digital assets from users' digital wallets.

There have also been cases where attackers were spotted creating new Google Workspace admin accounts, and registering new devices and browsers to them. This is said to be made possible again by the Squarespace acquisition of Google Domains. Both Squarespace and Google Domains are resellers of Google Workspace.

If Google Workspace was purchased pre-acquisition, it would also have been migrated over. The key factor at play here is that Squarespace admins then had the capability to create new Workspace admins, even if they weren't one. So, once the crims gained access to a Squaresapce admin account, they were able to register themselves as Workspace admins too, the report claims.

Once registered as a Workplace admin, the crims were able to access historical services including email, as well as sync data, and disable strong account authentication, the researchers' report says.

Who's affected?

The most talked about cases have all now been resolved, according to Compound Labs, Unstoppable Domains, Celer, and Pendle who all confirmed they detected malicious activity on their Squarespace accounts. 

There are, however, hundreds more domains that are alleged to be at least at risk of similar DNS hijackings, so it may not be over just yet, and it can happen to the best of us.

Any organization that had its Google Domains data migrated to Squarespace last year is advised to enable two-factor authentication (2FA) on their Squarespace account, since it's not enabled by default. 

As always, logs will offer a helping hand here too - scour them and reverse any unauthorized activity, including the deletion of rogue admin accounts, browsers, devices, and whatnot. ®

https://www.theregister.com//2024/07/15/squarespace_fingered_for_dns_hijackings/