Domains transferred from Google's domain registration service 'Google Domains' are hijacked due to a vulnerability in the transfer destination



In July 2024, a coordinated Domain Name System (DNS) hijacking attack was carried out targeting domains of Squarespace , a company that provides website building and hosting services and domain registration services. The attack, which primarily targets cryptocurrency businesses, is said to be related to domains transferred from Google Domains following Squarespace's acquisition in 2023.

DNS hijackers target crypto platforms registered with Squarespace
https://www.bleepingcomputer.com/news/security/dns-hijacks-target-crypto-platforms-registered-with-squarespace/

Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacked – Krebs on Security
https://krebsonsecurity.com/2024/07/researchers-weak-security-defaults-enabled-squarespace-domains-hijacks/

A DNS hijacking attack is when an attacker modifies a target's DNS records to redirect a legitimate website to a malicious website, such as a phishing page. These attacks are typically carried out by compromising a DNS server or the target's account with a DNS service provider.

In July 2024, several DeFi platforms that provide financial services using blockchain technology warned that their website domains were redirecting to phishing sites that were designed to steal cryptocurrencies and NFTs from connected cryptocurrency wallets.

DeFi platform Compound Labs posted on X (formerly Twitter) on July 11th that its main domain had been hijacked and urged users to avoid accessing the site.



CelerNetwork, a company that provides scaling solutions for blockchain applications, also reported that it was the target of a DNS hijacking attack, but detected it in advance and restored all of its DNS records.



Pendle, a DeFi protocol for trading token yields, was also hit by a similar attack and urged users to take precautions such as checking their address bar and clearing their browser cache.



All of the affected domains in this case used a common registrar , Squarespace, which accepts domain registration applications from users and enters the registration data into a registry database.

Squarespace was originally a company that provided website building and hosting services, but in 2023 it acquired Google Domains, Google's domain registration service. As a result, approximately 10 million domains hosted by Google Domains will be transferred to Squarespace.

Google plans to sell its domain registration service 'Google Domains' to Squarespace and transfer all users, what will happen to users who have already purchased domains? - GIGAZINE



The exact method of the hack is unclear, but experts believe there may have been a security issue with the account recreation procedure involved in transferring a domain from Google Domains to Squarespace.

When users whose domains were transferred from Google Domains to Squarespace created new accounts on Squarespace, they could choose to use either the social sign-up options from Google or Apple, or their email address. When they signed up using the email address associated with their domain, they were able to create a Squarespace account without password authentication.

It is believed that hackers exploited this vulnerability to create Squarespace accounts before the legitimate domain owners could access them, and then redirect the domains to malicious websites.

Security researcher Taylor Monahan pointed out that Squarespace did not send email notifications for some actions, giving legitimate domain owners no control over what was going on in their Squarespace accounts. 'For people who are accustomed to the controls that Google provides and expect them to have from Squarespace, this is simply not possible,' Monahan said.

in Web Service,   Security, Posted by log1h_ik