I have played with our SSL cert check tool https://keychest.net , testing SSL certs of various web servers.<p>When I did it for "squareup.com", I got a few additional domains present in the cert, including "gosq.com", which turns out to be a public service, a "card transaction search".<p>You enter your last 4 card digits, an expiry date, a transaction date and a transaction value, and it will show you a receipt.<p>It appears to be a legitimate service - available from support pages. It just feels really wrong. The "search space" seems to me pretty small to get loads of random hits. (Even though there's a limit in the number of tries.)