Squarespace Customers Targeted in Domain Hijacking Campaign

Squarespace, a popular website building and hosting platform, has recently issued a security advisory warning its customers of an ongoing domain hijacking campaign. The attacks, which began around July 10, 2024, have primarily targeted domains transferred from Google Domains following Squarespace’s acquisition of the service in September 2023.

The acquisition of Google Domains by Squarespace, initiated a migration process wherein customer data and domain registrations were transferred to Squarespace. However, this transition has seemingly opened a vulnerability, leading to unauthorized access to several domains. The exact methodology used by the attackers remains unclear, but initial investigations suggest potential avenues such as compromised email accounts, reused passwords, or other vulnerabilities inherent to the migration process.

Once inside, the threat actors wasted no time escalating their access. By gaining administrative control, they manipulated DNS records to hijack domain content and intercept emails. This manipulation included changing A records to control the domain’s content and MX records to intercept future emails, enabling them to reset passwords and gain further access.

An alarming revelation is that during the migration, Squarespace, as a Google Workspace reseller, inherited the ability to create new Google Workspace administrators, leveraging this access to escalate privileges within the Google Workspace environment. In instances where no Google Workspace tenant was linked, the attackers created new tenants, thereby broadening their control.

Squarespace has recommended several mitigation steps for its customers, including enabling two-factor authentication (2FA), removing unnecessary contributor accounts, and reviewing DNS records for unauthorized changes. The company also advises transferring domains to a different registrar if possible.