We don’t think too highly of the current state of security journalism, so we were not surprised to see a journalist covering a situation where what seems to be the significant and newsworthy element was not the focus of their article.
Today, Ars Technica has a story headlined “Thousands of hacked websites are infecting visitors with malware“. That doesn’t seem all that newsworthy. The sub-headline hints at something possibly newsworthy, “Unusually advanced campaign infects people visiting a variety of poorly secured sites.” Nothing in the article though seems to back that up; here is part of what that seems to refer to:
To escape detection, the attackers fingerprint potential targets to ensure, among other things, that the fake update notifications are served to a single IP address no more than once. Another testament to the attackers’ resourcefulness: the update templates are hosted on hacked websites, while the carefully selected targets who fall for the scam download a malicious JavaScript file from DropBox. The JavaScript further checks potential marks for virtual machines and sandboxes before delivering its final payload. The resulting executable file is signed by an operating-system-trusted digital certificate that further gives the fake notifications the appearance of legitimacy.
To us that sounds like some rather common stuff.
One of These is Not Like the Others
Another part of the story did stand out to us though:
The campaign, which has been running for at least four months, is able to compromise websites running a variety of content management systems, including WordPress, Joomla, and SquareSpace.
Lumping SquareSpace in with WordPress and Joomla seems rather odd since SquareSpace is hosted solution and the other two are software that people can install on any hosting. There is certainly a belief that SquareSpace is secure in a way that those solutions are not. For example, when doing a search on Twitter for “squarespace hacked” here are some of the top results:
https://twitter.com/mechaghost/status/979373780458876930
https://twitter.com/DesertDwellerD/status/950095157411500032
https://twitter.com/HeshamMegid/status/941650745606230016
https://twitter.com/pepironalds/status/889314095152807936
How Would a SquareSpace Website Get Hacked?
Considering how often we have seen false information being reported by security journalists, the claim that SquareSpace websites were hacked wasn’t necessarily true, so we went to look closer into that. An explanation from a SquareSpace customer as how their website was hacked, apparently as part of the campaign discussed in the Ars Technica article, is as follows:
Customer notified us that our site may be hacked. Sure enough I went to it and noticed it basically redirected me to a full page “your version of chrome needs updating” which looked super fake, and then Norton caught a download saying Chrome_67.9.17.js will harm your computer, do you want it keep it anyways.
So i login to the admin panel and in the GIT HISTORY it shows that one of my users which has never even logged in before, has sent an upload: site-bundle.js last week, along with some other big list of files
How do I go about doing anything about this? I’m not used to squarespace. In the old days I’d just login to my FTP and start navigating to the files in question. But I have no clue with this stuff.
It sounds like someone’s login credentials were compromised. That is something that is platform independent, which seems like a good reminder that the focus on the software used on hacked websites can be misplaced since websites can be hacked for a variety of reason outside the control of the software. That makes journalists usual lack of concern on how websites were hacked so problematic, as a lot of people come away with a belief that certain software is insecure in a way it isn’t. That can lead to people being less secure as they can come away with a belief that software that is actually more secure than other software is less secure, due to poor security coverage.
As to whether SquareSpace is better able to handle this situation as hosted solution, one thing we ran across while looking into this seemed less than reassuring. In a help article titled, ‘Google says “This site may be hacked”‘ they write the following:
Google applies this message to sites when they notice something that seems suspicious, which can include normal content, especially if it has external text formatting.
This means that the message was most likely triggered by content you added to your site, not by hackers. You can use Google Search Console to figure out what’s causing the message and remove it.
Squarespace offers free SSL certificates to provide a secure connection for visitors. We use many other methods to protect our customers, including regular security scans and industry-developed and proprietary tools to guard against potential intruders, DDoS attacks, and other vulnerabilities.
We really can’t figure what the relevance of them providing secured connections (which involved more than just SSL certificates) to visitors of websites would have to do with the issue they are discussing there.