The Polyfill attack redirected victims to gambling sites to conduct a supply chain attack
More details have emerged about FUNNULL, the company that bought the Polyfill.io service and used it to launch a major supply chain attack?
New research claims the service is now being used as part of a massive money laundering scheme involving tens of thousands of fake gambling sites catering to Chinese victims.
Security researchers Silent Push published a new report claims to have mapped a network of 40,000 Chinese gambling sites, powered by FUNNULL, and redirected them to using Polyfill. In its attack, FUNNULL impersonated a dozen gambling industry brands and used more than 200,000 unique hostnames, 95% of which were created using domain generation algorithms.
No solution
Polyfill.io offers modern features on older browsers, allowing web developers to use modern web standards without worrying about compatibility. The service and its associated domain were acquired in February 2024 by a little-known company called FUNNULL. Further investigation revealed that the company is of Chinese origin, and most likely completely fake and non-existent.
When FUNNULL acquired Polyfill, the original developers urged users (about 100,000 websites) to immediately stop using it and go for secure alternatives (both Cloudflare and Fastly had legitimate mirrors at the time).
In June 2024, cybersecurity experts at Sansec warned that polyfill was spreading malware. “This domain was caught injecting malware into mobile devices via any site embedding cdn.polyfill.io,” Sansec said at the time. Google also stepped in and informed affected advertisers about their landing pages potentially redirecting visitors from their intended destination to potentially malicious websites.
Earlier this week, security researchers at Silent Push published a new reportclaims to have mapped a network of 40,000 Chinese gambling sites, powered by FUNNULL, and redirected them to using polyfill.
In its attack, FUNNULL impersonated a dozen gambling industry brands and used more than 200,000 unique hostnames, 95% of which were created using domain generation algorithms.
The websites were most likely used for money laundering and other schemes, with Silent Push believing that FUNNULL is directly linked to the Lazarus Group, a notorious North Korean state-sponsored threat actor known for targeting cryptocurrency users.
Via TechCrunch