Attackers are hijacking domains to steal crypto assets.
Many web3 companies are reporting that their domains registered at Squarespace (NYSE: SQSP) have been hijacked.
Earlier today, Unstoppable Domains wrote on X that it is a victim. It is concerned that people are spoofing the company in email and might create a fake website to try to drain crypto wallets.
The problem started impacting many crypto companies yesterday.
Michael Coates, COO and CISO at Coinlist, explained how the attack works:
1. The attackers are gaining unauthorized access to SquareSpace and adjusting settings to forward all email to an attacker’s email address at a http://proton.me address
2. The attacker then initiates password resets at important third party services such as chat services and custodians. These resets are targeting specific individuals the attackers believe have admin access to the accounts.
3. If the email forwarding attack was successful then the password resets would be sent to the attacker, they’d be able to extract the password reset urls and then take over the third party services.
4. Attackers would then use all of this access to either directly drain funds or modify websites to include malicious code to compromise users.
You might be surprised that so many crypto companies have domains at Squarespace. This is because the domains were at Google Domains, which sold its domain name business to Squarespace last year.
It’s unclear exactly how the attackers are getting access to accounts.
While Unstoppable Domains did not have Verisign Registry lock on its domain, this might not have prevented the type of attack that is occurring.
I have contacted Squarespace for comment and will update this post when I hear back.
Credit: Source link