Squarespace crypto domains under DNS attack, lack of MFA to blame


More than 200 cryptocurrency domains registered with Squarespace have been identified at risk after warnings the website hosting company was found undergoing a massive DNS hijacking attack.

The attack began Thursday, first discovered after directly impacting the websites of two blockchain projects – Compound and Celer Networks – which have since restored to normal operations.

Since then, researchers on GitLabs compiled a list of 128 other crypto domains also at risk of DNS hijacking, although by late Friday, some analysts have put those numbers over the 220 mark.

ADVERTISEMENT

Turns out the entire incident is being blamed on the recent migration of 10 million domains due to the September 2023 buyout deal between Squarespace and Google Domains.

“Google sold their domain business to Squarespace a few months ago, and the forced migration of domains to Squarespace removed 2FA, causing all these domains to be vulnerable and several have been hijacked,” posted X user Bobby Ong, co-founder and COO of crypto data aggregator CoinGeico.

“Best thing to do is to not interact with crypto and rest for the next couple of days until everything is resolved,” Ong said.

First victims hit without warning

As word spread on the attack, both Celer and Compound posted warnings for customers to stay off their websites until the ‘all clear’ had been given.

“URGENT: The Compound Labs website (compound[.]finance) has been compromised.

ADVERTISEMENT

Please do not visit the website or clink any links until further notice. An update will be provided when available.

This is our final message // end of tweet,” Compound posted Thursday in the midst of the attack.

Websites for both companies were loading without problems by Friday for the Cybernews team.

“Thanks to our 24/7 domain security monitoring, an attempted takeover of Celer domains was successfully intercepted. All DNS records have been recovered,” Celer Networks posted on X late Thursday.

“Our ongoing investigation indicates that the attack vector likely involved third parties beyond our control,” the crypto platform said.

More companies warn users to stay away

ADVERTISEMENT

On Friday, another company, Unstoppable Domains, also registered with Squarespace, announced it was under attack, again warning users to stay off its website.

Security researcher Dominic Alvieri first posted about the warning Friday morning on X, along with a screenshot of the company’s domain information listed on Whois.com, a database library of registered names.

“Our domain, unstoppabledomains.com has been subject to recent attacks,” the web3 domain naming company said.

“Until further notice: Do not open emails…Do not use the website… We are actively trying to get in touch with Squarespace to rectify this and will provide updates ASAP,” Unstoppable Domains posted on its X profile.

Unstoppable domains statement on DNS hack
Image by Cybernews.

The Cybernews team was unable to load Unstoppable Domain's website on Friday.

So far, it appears there has been no statement from Squarespace on the DNS hijacking incident, and no threat actor has taken claim for the attack.

@SquarespaceHelp did post some sort of message on X Friday morning about investigating “an issue with the Domains Reseller API being unavailable for new registrations and domain management,” which was apparently resolved an hour later but seems unrelated to the DNS debacle.

Other Squarespace domains that have reported hijacking include Peddle.com, while Blockaid and MetaMask also issued warnings to its followers on X.

Early Friday morning, DeFi analyst '@0xngmi' on X, offered up a full-text list they created on GitHub of the originally reported 128 potentially bad domains to avoid.

ADVERTISEMENT
GitHub Squarespace list website DNS hijack
Image by Cybernews.

DNS or Domain Name System attacks, are similar to Distributed Denial-of-Service (DDoS) attacks where the domain name server – in this case, the DNS server belonging to Squarespace – is flooded with traffic causing it to malfunction.

Operating normally, a DNS allows a user to type in the URL for any website into their browser and be redirected to the corresponding server according to its assigned IP address.

By hijacking DNS functionality via a DDoS attack, the hackers can redirect unsuspecting users to malicious websites or use DNS tunneling to gain unauthorized remote access to an organization’s servers and steal sensitive data.