Polyfill attack redirected victims to gambling sites to carry out supply chain attack

The sites appear part of a major money laundering scheme

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

More details have emerged surrounding FUNNULL, the company thatbought the Polyfill.io service and used it to launch a major supply chain attack?

New research claims the service is now being used as part of an enormous money-laundering scheme that involves tens of thousands of fake gambling sites for Chinese victims.

Security researchers Silent Pushpublished a new reportclaiming to have mapped out a network of 40,000 Chinese gambling sites, propped up by FUNNULL, and redirected to using Polyfill. In its attack, FUNNULL impersonated a dozen brands from the gambling industry, and used more than 200,000 unique hostnames, 95% of which were created using Domain Generation Algorithms.

No workaround

Polyfill.io grants modern functionalities on olderbrowsers, allowing web developers to use modern web standards without worrying about compatibility. The service, and accompanying domain, was acquired February 2024 by a little-known company called FUNNULL. Subsequent investigation has shown that the company is of Chinese origin, and most likely completely fake and non-existent.

When FUNNULL acquired Polyfill, its original developers urged the users (approximately 100,000 websites) to stop using it immediately, and go for safe alternatives (both Cloudflare and Fastly propped up legitimate mirrors at the time).

In June 2024, cybersecurity experts from Sansec warned that polyfill was serving malware. “This domain was caught injectingmalwareon mobile devices via any site that embeds cdn.polyfill.io,” Sansec said at the time.Googlealso chimed in, notifying affected advertisers about their landing pages now possibly redirecting visitors away from their intended destination, and towards possibly malicious websites.

Earlier this week, security researchers from Silent Pushpublished a new report, claiming to have mapped out a network of 40,000 Chinese gambling sites, propped up by FUNNULL, and redirected to using polyfill.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In its attack, FUNNULL impersonated a dozen brands from the gambling industry, and used more than 200,000 unique hostnames, 95% of which were created using Domain Generation Algorithms.

The websites were most likely used for money laundering, and other schemes, with Silent Push believing FUNNULL is directly linked to the Lazarus Group, a notorious North Korean state-sponsored threat actor that’s known for targeting cryptocurrency users.

ViaTechCrunch

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

As if Intel didn’t have enough to worry about, Nvidia might be about to jump into the PC processor market