DeFi apps on Squarespace are vulnerable to a DNS hijacking attack that redirects users to malicious sites

Over 120 DeFi protocols are potentially vulnerable, including Compound and Celer Network. Learn more about the DeFi security risk and how to protect yourself.

Hackers are redirecting users of DeFi (Decentralized Finance) applications hosted on Squarespace to phishing sites in an ongoing DNS hijacking attack.

The attack, which began on July 11, saw hackers gain control of the DNS registry for Compound Finance and attempted to take over Celer Network’s registry.

By compromising the DNS records, the attackers were able to intercept traffic to the legitimate DeFi platforms and redirect users to phishing sites, which attempted to harvest sensitive information and drain users’ funds.

"This incident is still ongoing – we are seeing new malicious sites impersonating additional brands being created by the same attackers," Blockaid noted in a tweet late on July 12.

"We urge projects to double check their domain security settings – feel free to reach out by DM for additional security guidance."

The attack was detected after users noticed that Compound’s interface led to a malicious website hosting a token-draining application, while Celer Network confirmed an attempted domain takeover, which was prevented by its monitoring system.

Both protocols acknowledged the attack in separate statements.

Further investigation revealed that the attacker is specifically targeting Squarespace domain names, putting any DeFi app with a Squarespace domain at risk.

In response to the attack, MetaMask has implemented a warning system to flag potentially compromised DeFi apps, adding an extra layer of security to protect users from interacting with malicious websites.

While the precise methods used by the attackers are still being determined, it is speculated that the attack vector may have originated from Google domain accounts used by these protocols.

Squarespace notably acquired nearly 10 million domains hosted on Google Domains for $180 million in 2023, which could have provided the attackers with a potential entry point to access sensitive DNS information.

The DeFi space is still in its early stages, and security remains a top concern. In December 2023, an attacker managed to inject malicious code into the Ledger Connect library, impacting the Ethereum Virtual Machine ecosystem.

These incidents highlight the critical need for DeFi developers to prioritize robust security measures and for users to exercise caution when interacting with DeFi apps, especially those built on less rigorous security practices.