Polyfill attack redirected victims to gambling sites to carry out supply chain attack

More details have emerged surrounding FUNNULL, the company that bought the Polyfill.io service and used it to launch a major supply chain attack?

New research claims the service is now being used as part of an enormous money-laundering scheme that involves tens of thousands of fake gambling sites for Chinese victims.

Security researchers Silent Push published a new report claiming to have mapped out a network of 40,000 Chinese gambling sites, propped up by FUNNULL, and redirected to using Polyfill. In its attack, FUNNULL impersonated a dozen brands from the gambling industry, and used more than 200,000 unique hostnames, 95% of which were created using Domain Generation Algorithms.

No workaround

Polyfill.io grants modern functionalities on older browsers, allowing web developers to use modern web standards without worrying about compatibility. The service, and accompanying domain, was acquired February 2024 by a little-known company called FUNNULL. Subsequent investigation has shown that the company is of Chinese origin, and most likely completely fake and non-existent.

When FUNNULL acquired Polyfill, its original developers urged the users (approximately 100,000 websites) to stop using it immediately, and go for safe alternatives (both Cloudflare and Fastly propped up legitimate mirrors at the time).

In June 2024, cybersecurity experts from Sansec warned that polyfill was serving malware. "This domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io," Sansec said at the time. Google also chimed in, notifying affected advertisers about their landing pages now possibly redirecting visitors away from their intended destination, and towards possibly malicious websites.

Earlier this week, security researchers from Silent Push published a new report, claiming to have mapped out a network of 40,000 Chinese gambling sites, propped up by FUNNULL, and redirected to using polyfill.

In its attack, FUNNULL impersonated a dozen brands from the gambling industry, and used more than 200,000 unique hostnames, 95% of which were created using Domain Generation Algorithms.

The websites were most likely used for money laundering, and other schemes, with Silent Push believing FUNNULL is directly linked to the Lazarus Group, a notorious North Korean state-sponsored threat actor that’s known for targeting cryptocurrency users.

Via TechCrunch

More from TechRadar Pro



Post a Comment

0 Comments