DeFi

Squarespace Hacked – DeFi Wallets Emptied (Imaginary Money Stolen)

Published

7 months ago

on


Cryptocurrency fans are losing their worthless tokens via phishing attacks on decentralized finance sites.

Hundreds of domains on Squarespace have been made vulnerable by a gaping security hole: According to the researchers, NYSE:SQSP allowed anyone to claim and hijack any domain migrated from the now-defunct Google Domains service. Naturally, the attackers targeted cryptocurrency sites (since most of them are run by people who don’t know what they’re doing).

Yes, this is yet another story of weak DeFi security. Today SB Blogwatchnothing of value was lost.

Your humble blogger I have selected these blog posts for your entertainment. Not to mention: Metallica in Punjab.

Failure

What is happening ? Bill Toulas reports: DNS hijacking targets crypto platforms registered with Squarespace

“Attack on SquareSpace Accounts”
A wave of coordinated DNS hijacking attacks is targeting decentralized finance (DeFi) cryptocurrency domains using registrar Squarespace, redirecting visitors to phishing sites hosting wallet drainers. … Those who entered information on the phishing sites should take immediate action, … including revoking smart contract approvals, changing passwords, and transferring funds to a new wallet.

While the exact cause … has yet to be determined, the compromised domains were all originally registered to Google Domains, which were then forcibly transferred to Squarespace in 2023 as part of an asset purchase agreement with Google. … However, as part of the transition to Squarespace, Multi-factor authentication has been disabled.

Other Squarespace customers have also reported receiving suspicious password reset emails, which could indicate that this is part of a broader credential attack on SquareSpace accounts. [We] I have reached out to Squarespace for comment on the situation, but we are still awaiting a response.

What went wrong? samczsun, tayvano and AndrewMohawk know What went wrong?:

“Stealing the domain efficiently”
Contrary to early reports, the attacks were not caused by user negligence, such as reusing weak passwords or not enabling multi-factor authentication. … By default, Squarespace does not require email verification for new accounts created with a password. … As it stands, Squarespace is simply not a viable option for anyone [who] requires deeper control over their domains.

Squarespace never considered the possibility that a malicious actor could create an account using an email address associated with a recently migrated domain before the legitimate owner of the email address created the account themselves. Unfortunately, many domain contributors never created their Squarespace account, either because they forgot they had been granted contributor access or because they didn’t anticipate the security implications of inaction, making it relatively easy for a malicious actor to get ahead of them.

If you’ve gained unauthorized access to a Squarespace account [and] have “owner” permissions, you can simply transfer domain…thus stealing the domain itself. [Or]if you have “manager” permissions, you can … modify DNS records. … Having a Google Workspace administrator account allows the threat actor … to access historical emails, anything in Google Drive, Google Calendar, Google Docs, etc. [and] to turn to third-party services such as custody services or other financial accounts.

ELI5? dboreham explain as if we were five years old:

What [Squarespace] did: Put a billion DNS registration accounts in a state of limbo where anyone… could guess the email address associated with an account, could… obtain valid authentication information for the account, …without any verification that it came from the owner of the associated email address.

That he has done ? Ido Ben-Natan spoke to Sebastian Sinclair: Hundreds of DeFi Protocol Front-Ends Still Under Threat

“Inferno Drainer Group”
The incident…involved attackers targeting DNS records hosted on Squarespace. These records were redirected to IP addresses associated with known malicious activity [hosting] a page that drains funds from connected wallets.

“The association with Inferno Drainer is clear [from the] “We shared onchain and offchain infrastructure,” Ben-Natan said. “This includes onchain wallet and smart contract addresses as well as offchain IP addresses and domains related to Inferno.”

It works by tricking users into signing malicious transactions that give the attacker control over their digital assets. … The Inferno Drainer group has been active for some time, targeting various DeFi protocols and exploiting different vulnerabilities.

Ah, the curse of Google’s dead products. WillPostForFood it looks hungry:

It’s clear that Squarespace is the culprit here. But damn, I’m still pissed that Google shut down Domains, and I can’t help but direct some anger at them by abandoning another product.

RIP, Google Domains. Denis agrees:

It’s a shame that Google let us down in this endeavor. They’ve done it so many times before that I thought they’d learned their lesson.

I tried moving my domains from Squarespace after looking at their control panel. And it’s… a pain to migrate your domains.

However, this is not directly Google’s fault. Squarespace deserves most of the blame – and ecofeco is not surprised:

Having used Squarespace on several occasions on behalf of clients, I can say that it’s a patently crappy ecosystem, so I’m not surprised that it has some glaring holes.

Let’s not forget that the “victims” are imaginary money sites. As Retired chemist observes that this scene is in the Dunning-Kruger AF style:

Cryptocurrency companies. You would think they would be both security conscious and reasonably savvy on these topics. The real world never ceases to amaze me.

In the meantime, The prize for “best nominative determinism” goes to cynical security: [You’re fired—Ed.]

Squarespace spends a lot on marketing. They probably don’t have money to hire engineers anymore.

And finally:

Lars and James are die-hard fans

Previously in And finally

Have you readSB Blogwatch by Richi Jennings. Richi handpicks the best blog posts, forums, and weirdest websites, so you don’t have to. Hate mail can be sent to@RiCHi, @richij, @richi@vmst.io, @richi.bsky.social Or sbbw@richi.uk. Consult your physician before reading. Your mileage may vary. Past performance does not guarantee future results. Do not look into the laser with the remaining eye. E&OE. 30.

Image sauce: Creativity103 (cc:by; leveled and cropped)

Recent articles by the author



Fuente

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version