Several cryptocurrency projects registered with web hosting provider Squarespace were recently targeted in a coordinated DNS hijacking attack. The goal of the attack was to steal their users’ funds.
DNS hijacking, also known as DNS redirection, is a type of cyberattack in which attackers manipulate the Domain Name System (DNS) to redirect internet traffic to fraudulent websites. This can be done by changing the DNS settings on a victim’s device, DNS server, or through other means.
So when users tried to visit the websites of any of these projects, they were instead redirected to a fake site, which asked them to reconnect their wallets. Users who didn’t find the request suspicious and did as asked risked having their funds (both cryptocurrencies and NFTs) permanently removed from their wallets.
Google Domains Migration and MFA Issues
Some of the projects targeted in this wave included Compound Finance, Celer Network, Pendle, and Unstoppable Domains, which confirmed on social media that they had been attacked and urged their customers to be cautious and use safe alternatives. Users were also advised to revoke smart contract approvals, change passwords, and transfer their funds to a new account.
At the time of going to press, it was not entirely clear how the attackers managed to compromise these accounts. One of the affected projects, Pendle, believes it may have something to do with the recent migration of Google Domains.
“For comparison, Squarespace purchased all domain registrations and associated customer accounts from Google Domains in June 2023, making the domain migration necessary,” Pendle explains in an X post.
“Recently, attackers exploited a vulnerability in Squarespace by hijacking domains hosted on their platform. Security experts are still working out the exact mechanism for the hijacking attacks, but many domains (including Pendle’s) that were migrated from Google to Squarespace were affected.”
a BleepingComputer The report suggests that this “vulnerability” was actually multi-factor authentication (MFA) being disabled as part of the migration. The publication notes that there is a Squarespace support topic about Google Domains migration disabling MFA, urging domain owners to re-enable it.