Crypto websites registered to Squarespace are being hijacked and redirected by scammers

Multiple cryptocurrency projects registered with the Squarespace web hosting provider, were recently targeted with a coordinated DNS hijacking attack. The goal of the attack was to steal their users’ money.

DNS hijacking, also known as DNS redirection, is a type of cyberattack where attackers manipulate the Domain Name System (DNS) to redirect internet traffic to fraudulent websites. This can be done by modifying the DNS settings on a victim’s device, DNS server, or through other means.

So, when the users tried to visit the websites of any of these projects, they were instead redirected to a fake site, which asked them to reconnect their wallets. Users who didn’t find the request suspicious and did as asked, risked having their funds (both cryptocurrencies and NFTs) drained from their wallets, permanently.

Google Domains migration and MFA woes

Some of the projects who were targeted in this wave were Compound Finance, Celer Network, Pendle, and Unstoppable Domains. These confirmed, via social media, that they were attacked, and urged their customers to be careful and use secure alternatives. Users were also advised to revoke approvals for smart contracts, change passwords, and pull their funds to a new account.

At press time, it wasn’t entirely clear how the attackers managed to compromise these accounts. One of the affected projects, Pendle, believes it might have something to do with the recent migration from Google Domains.

“For context – Squarespace purchased all domain registrations and related customer accounts from Google Domains in June 2023, which forced the migration of domains,” Pendle explained in an X post.

“Recently, attackers exploited a vulnerability in Squarespace, hijacking domains hosted on their platform. Security experts are still working out the exact mechanism for the hijacking attacks, but many domains (including Pendle’s) that were migrated from Google to Squarespace have been affected.”

A BleepingComputer report suggests that this “vulnerability” was actually multi-factor authentication (MFA) being disabled as part of the migration. The publication states that there is a Squarespace support topic about Google Domains migration disabling MFA, which urged domain owners to re-enable it.