Wed. Nov 27th, 2024
Polyfill attack redirected victims to gambling sites to carry out supply chain attack

When you buy through links on our articles, Future and its syndication partners may earn a commission.

 A laptop on a lap with 100 dollar bills flying out.

Credit: Shutterstock/Africa Studio

Remember FUNNULL, the company that bought the Polyfill.io service and used it to launch a major supply chain attack?

New research says that the service is now being used as part of an enormous money-laundering scheme that involves tens of thousands of fake gambling sites for Chinese victims.

Here is a little background: There is a service called Polyfill.io, which grants modern functionalities on older browsers. It allows web developers to use modern web standards without worrying about compatibility. The service, and accompanying domain, was acquired this February by a little-known company called FUNNULL. Subsequent investigation has shown that the company is of Chinese origin, and most likely completely fake and non-existent.

When FUNNULL acquired Polyfill, its original developers urged the users (approximately 100,000 websites) to stop using it immediately, and go for safe alternatives (both Cloudflare and Fastly propped up legitimate mirrors at the time).

No workaround

In June this year, cybersecurity experts from Sansec warned that polyfill was serving malware. “This domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io,” Sansec said at the time. Google also chimed in, notifying affected advertisers about their landing pages now possibly redirecting visitors away from their intended destination, and towards possibly malicious websites.

Earlier this week, security researchers from Silent Push published a new report, claiming to have mapped out a network of 40,000 Chinese gambling sites, propped up by FUNNULL, and redirected to using polyfill.

In its attack, FUNNULL impersonated a dozen brands from the gambling industry, and used more than 200,000 unique hostnames, 95% of which were created using Domain Generation Algorithms.

In its writeup, TechCrunch said that the websites were most likely used for money laundering, and other schemes. Silent Push believes FUNNULL is directly linked to the Lazarus Group, a notorious North Korean state-sponsored threat actor that’s known for targeting cryptocurrency users.

Via TechCrunch

More from TechRadar Pro

By Xplayer