At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.

The Squarespace domain hijacks, which took place between July 9 and July 12, appear to have mostly targeted cryptocurrency businesses, including Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. In some cases, the attackers were able to redirect the hijacked domains to phishing sites set up to steal visitors’ cryptocurrency funds.

New York City-based Squarespace purchased roughly 10 million domain names from Google Domains in June 2023, and it has been gradually migrating those domains to its service ever since. Squarespace has not responded to a request for comment, nor has it issued a statement about the attacks.

But an analysis released by security experts at Metamask and Paradigm finds the most likely explanation for what happened is that Squarespace assumed all users migrating from Google Domains would select the social login options — such “Continue with Google” or “Continue with Apple” — as opposed to the “Continue with email” choice.

Taylor Monahan, lead product manager at Metamask, said Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain before the legitimate email holder created the account themselves.

“Thus nothing actually stops them from trying to login with an email,” Monahan told KrebsOnSecurity. “And since there’s no password on the account, it just shoots them to the ‘create password for your new account’ flow. And since the account is half-initialized on the backend, they now have access to the domain in question.”

Sometime in the last 24 hours, Squarespace removed the ability for people to create an account with just an email address. That option was available when KrebsOnSecurity created a test Squarespace account on Saturday (it’s unclear whether Squarespace ever sent a confirmation email from that signup, but I still haven’t received one).

What’s more, Monahan said, Squarespace did not require email verification for new accounts created with a password.

“The domains being migrated from Google to Squarespace are known,” Monahan said. “It’s either public or easily discernible info which email addresses have admin of a domain. And if that email never sets up their account on Squarespace — say because the billing admin left the company five years ago or folks just ignored the email — anyone who enters that email@domain in the squarespace form now has full access to control to the domain.”

The researchers say some Squarespace domains that were migrated over also could be hijacked if attackers discovered the email addresses for less privileged user accounts tied to the domain, such as “domain manager,” which likewise has the ability to transfer a domain or point it to a different Internet address.

Monahan said the migration has left domain owners with fewer options to secure and monitor their accounts.

“Squarespace can’t support users who need any control or insight into the activity being performed in their account or domain,” Monahan said. “You basically have no control over the access different folks have. You don’t have any audit logs. You don’t get email notifications for some actions. The owner doesn’t get email notification for actions taken by a ‘domain manager.’ This is absolutely insane if you’re used to and expecting the controls Google provides.”

The researchers have published a comprehensive guide for locking down Squarespace user accounts, which urges Squarespace users to enable multi-factor authentication (disabled during the migration).

“Determining what emails have access to your new Squarespace account is step 1,” the help guide advises. “Most teams DO NOT REALIZE these accounts even exist, let alone theoretically have access.”

The guide also recommends removing unnecessary Squarespace user accounts, and disabling reseller access in Google Workspace.

“If you bought Google Workspace via Google Domains, Squarespace is now your authorized reseller,” the help document explains. “This means that anyone with access to your Squarespace account also has a backdoor into your Google Workspace unless you explicitly disable it by following the instructions here, which you should do. It’s easier to secure one account than two.”

Read More

Barracuda has observed attackers using three different URL protection services to mask their phishing URLs, bypassing email security tools

Read More

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Smart technologies are being quickly adopted by the hospitality sector in order to improve guest experiences and improve operations. However, hotels are also popular targets for cybercriminals due to their extensive collection of data and increased connectivity.

These linked devices have flaws that could allow for illegal access and data breaches, risking the security and privacy of visitors. This article examines the cybersecurity risks related to these technologies and provides helpful advice on how passengers may protect their data while taking advantage of these benefits.

Smart Technologies and the Risks that They Bring

A new wave of technology in the hotel sector promises to improve visitor experiences and operational effectiveness. Smart technologies like IoT-enabled gadgets and AI-powered services are being incorporated into modern hotels. These include mobile check-in, keyless entry for a quick, contactless experience, AI-powered chatbots and automated concierge systems for smooth guest interactions, smart in-room entertainment systems that allow guests to control various aspects of their environment via voice commands or smartphone apps, and smart thermostats for customized climate control.

While these innovations significantly enhance convenience and personalization, they also introduce considerable cybersecurity risks. The interconnected nature of these devices and the vast amounts of data they handle make hotels and Airbnb rooms attractive targets for cybercriminals.

Here are some of the most dangerous cybersecurity threats facing modern hospitality settings.

Data Breaches

Data breaches are a major concern in the hospitality industry due to the vast amounts of sensitive guest information collected and stored. High-profile incidents, such as the Marriott data breach in 2018, which affected up to 500 million guest records, underscore the severity of this threat. Compromised data often includes personal identification details, credit card information, and even passport numbers, leading to significant financial and reputational damage for the affected hotels and Airbnb hosts​.

IoT Vulnerabilities

The globalization of IoT devices in accommodation businesses like hotels and Airbnb properties increases the attack surface for cybercriminals. Each connected device represents a potential entry point for hackers. For instance, vulnerabilities in smart thermostats or lighting systems can be exploited to gain access to the broader network, compromising other critical systems and guest data​.

Phishing and Social Engineering

Phishing attacks and social engineering tactics are prevalent in the hospitality industry. Cybercriminals often target staff and guests with deceptive emails or messages designed to steal login credentials or other sensitive information. These attacks can lead to unauthorized access to systems and data breaches​.

Point of Sale (POS) Systems

POS systems handle numerous financial transactions, making them attractive to hackers. Attacks on POS systems can involve malware that captures credit card information before it is encrypted. Such incidents have occurred at several major hotel chains, including Hilton, which faced significant data breaches due to vulnerabilities in their POS systems​.

Hotel and Airbnb Wi-Fi Networks

Unsecured Wi-Fi networks in hotels and Airbnb rentals pose significant risks to both guests and operations. Cybercriminals can exploit vulnerabilities in these networks to intercept data transmitted by guests or to launch attacks on internal systems. This can lead to significant data breaches and operational disruptions​.

Third-Party Vendors

Hotels and Airbnb hosts often rely on third-party vendors for various services, including payment processing and guest management systems. These vendors can introduce additional cybersecurity risks if they do not adhere to robust security standards. A breach at a third-party vendor can compromise data and systems, making it vital to ensure partners follow strict cybersecurity protocols​.

Ransomware

Ransomware attacks, where hackers lock systems and demand a ransom to restore access, are becoming increasingly common. These attacks can cripple operations, preventing guests from checking in or out and disrupting services. The financial and operational impact of ransomware attacks can be devastating, leading to significant losses and reputational damage​.

Cybersecurity Best Practices for Hotels

While travelers can adopt practical tips to protect their personal information—such as using secure networks, creating strong passwords, monitoring bank statements, and being cautious with personal information—the primary responsibility for cybersecurity rests with the hotels. According to John Nousis, a seasoned professional in the hospitality industry and co-founder of Travelmyth, a hotel search engine focusing on travelers’ specific interests and needs, “In today’s digital age, ensuring the cybersecurity of our guests is as important as providing them with a comfortable stay. At Travelmyth, we help travelers, especially professionals, find hotels that meet their specific needs, including those with strong cybersecurity measures.”

But how can hotels achieve the best possible security for their clients? There are certain practices every hotel should follow in 2024 according to Mr. Nousis. Here are some of his suggestions:

Network Segmentation

Hotels should separate guest and administrative networks to prevent unauthorized access. By isolating guest Wi-Fi from internal systems, hotels can limit the potential damage of a cyber attack. This approach helps contain breaches and protects sensitive operational data from being accessed through guest networks​.

Multi-Factor Authentication (MFA)

Implementing MFA adds an extra layer of security to hotel systems. Requiring multiple forms of authentication, such as a password and biometric verification, significantly enhances protection against unauthorized access. This is particularly important for accessing sensitive data and critical systems​.

Regular Security Audits and Updates

Regular security audits help identify vulnerabilities in hotel systems. Keeping software and hardware up-to-date ensures that known security issues are addressed promptly. Frequent updates and patches are essential to protect against the latest cyber threats​.

Employee Training

Educating staff about cybersecurity threats and best practices is crucial. Regular training sessions can help employees recognize phishing attempts and other social engineering tactics. A well-informed staff is a strong line of defense against cyber attacks​.

“By adopting these cybersecurity best practices, hotels can significantly reduce the risk of cyber threats and ensure a safer environment for their guests. Travelers, meanwhile, should remain aware and follow basic cybersecurity tips to protect their personal information while enjoying these modern conveniences,” Mr. Nousis concludes.

Conclusion

The cybersecurity environment in the hotel sector will change as smart technologies continue to progress. Though they are going to keep improving visitor experiences, AI systems and IoT devices will also become more advanced and provide new security risks. For the protection of their visitors’ data, hotels need to take the initiative to have strong cybersecurity safeguards in place. In this continuous effort, regular updates, network segmentation, multi-factor authentication, and comprehensive employee training serve as key factors.

The future will demand even more awareness and innovation in cybersecurity practices. By staying ahead of potential threats and continuously improving their defenses, hotels can ensure that the benefits of smart technologies are enjoyed safely. Both hotels and travelers must remain informed and cautious, embracing the conveniences of modern technology while prioritizing security.

Read More

US pharmacy chain Rite Aid has confirmed a cybersecurity ‘incident’ in June

Read More

Google is in talks to acquire security startup Wiz Security

Read More