Researchers link Polyfill supply chain attack to huge network of copycat gambling sites

Date:

Share post:


One of the biggest digital supply chain attacks of the year was launched by a little-known company that redirected large numbers of internet users to a network of copycat gambling sites, according to security researchers. 

Earlier this year, a company called FUNNULL purchased Polyfill.io, a domain hosting an open source JavaScript library that — if embedded in websites — can allow outdated browsers to run features found in newer browsers. Once in control of Polyfill.io, FUNNULL used the domain to essentially carry out a supply chain attack, as cybersecurity firm Sansec reported in June, where FUNNULL took over a legitimate service and abused its access to potentially millions of websites to push malware to their visitors. 

At the time of the Polyfill.io takeover, the original Polyfill author warned that he never owned the Polyfill.io domain and suggested websites remove the hosted Polyfill code completely to avoid risks. Also, content delivery network providers Cloudflare and Fastly put out their own mirrors of Polyfill.io to offer a safe trusted alternative for websites that wanted to keep using the Polyfill library. 

It’s unclear what the goal of the supply chain attack was exactly, but Willem de Groot, the founder of Sansec, wrote on X at the time that it appeared to be a “laughably bad” attempt at monetization.

Now, security researchers at Silent Push say they mapped out a network of thousands of Chinese gambling sites and linked it to FUNNULL and the Polyfill.io supply chain attack. 

According to the researchers’ report, which was shared with TechCrunch in advance, FUNNULL was using its access to Polyfill.io to inject malware and redirect website visitors to that malicious network of casino and online gambling sites. 

“It appears likely that this ‘online gambling network’ is a front,” Zach Edwards, a senior threat analyst and one of the researchers who worked on the Silent Push report, told TechCrunch. Edwards added that FUNNULL is “operating what appears to be one of the largest online gambling rings on the internet.”

Silent Push researchers said in their report that they were able to identify around 40,000 mostly Chinese-language websites hosted by FUNNULL, all with similarly looking and likely automatically generated domains made up of a scattering of seemingly random letters and numbers. These sites appeared to impersonate online gambling and casino brands, including Sands, a casino conglomerate that owns Venetian Macau; the Grand Lisboa in Macau; SunCity Group; as well as the online gambling portals Bet365 and Bwin.

A screenshot of one of the thousands of spammy online gambling websites hosted on FUNNULL’s CDN. (Image: TechCrunch)

Chris Alfred, a spokesperson for Entain, the parent company of Bwin, told TechCrunch that the company “can confirm that this is not a domain we own so it appears the site owner is infringing on our Bwin brand so we will be taking action to resolve this.”

Sands, SunCity Group, Macau Grand Lisboa, and Bet365 did not respond to multiple requests for comment. 

Edwards told TechCrunch that he and his colleagues found a FUNNULL developer’s GitHub account, who discussed “money-moving,” an expression that they believe refers to money laundering. The GitHub page also contained links to Telegram channels that include mentions of the gambling brands impersonated in the network of spammy sites, as well as talk about moving money. 

“And those sites are all for moving money, or is their primary purpose,” said Edwards. 

The suspicious network of sites, according to Edwards and his colleagues, is hosted on FUNNULL’s content delivery network, or CDN, whose website claims to be “Made in USA” but lists several office addresses in Canada, Malaysia, the Philippines, Singapore, Switzerland and the United States, which all appear to be places with no listed addresses in the real world. 

On its profile on HUIDU, a hub for the gambling industry, FUNNULL says it has “more than 30 data centers on the continent,” likely referring to mainland China, and that it has a “high-security automated server room in China.”

For an ostensible technology company, FUNNULL makes its representatives difficult to reach. TechCrunch made efforts to contact the company to seek comment and to ask it questions about its role in the apparent supply chain attack, but received no responses to our inquiries.

On its website, FUNNULL lists an email address that does not exist; a phone number that the company claims to be on WhatsApp, but could not be reached; the same number which on WeChat appears to be owned by a woman in Taiwan with no affiliation to FUNNULL; a Skype account that did not respond to our requests for comment; and a Telegram account that only identifies itself as “Sara,” and has the FUNNULL logo as her avatar.  

“Sara” on Telegram responded to a request for comment — sent by TechCrunch in both Chinese and English — containing a series of questions for this article saying: “We don’t understand what you said,” and stopped answering. TechCrunch was also able to identify a series of valid FUNNULL-owned email addresses, none of which responded to requests for comment. 

A company called ACB Group claimed to own FUNNULL on an archived version of its official website, which is now offline. ACB Group could not be reached by TechCrunch. 

With access to millions of websites, FUNNULL could have launched much more dangerous attacks, such as installing ransomware, wiper malware, or spyware, against the visitors of the spammy websites. These kinds of supply chain attacks are increasingly possible because the web is now a complex global network of websites that are often built with third party tools, controlled by third parties that, at times, could turn out to be malicious. 

This time, the goal was apparently to monetize a network of spammy sites. Next time, it could be much worse.



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

OpenAI accidentally deleted potential evidence in NY Times copyright lawsuit (updated)

Lawyers for The New York Times and Daily News, which are suing OpenAI for allegedly scraping their...

Sequoia marks up its 2020 fund by 25%

Sequoia says no exits, no problem. The Silicon Valley titan of venture marked up the value of its...

Illumen Capital doubles down on supporting underrepresented funds

Illumen Capital is doubling down on its support for fund managers and founders from underrepresented communities.  The firm...

Gilroy, former Coatue fintech head, and angel investor Rajaram launch VC firm

Michael Gilroy, a former head of fintech investments at Coatue, and Gokul Rajaram, a longtime tech executive...

OpenAI is funding research into ‘AI morality’

OpenAI is funding academic research into algorithms that can predict humans’ moral judgements. In a filing with the...

Y Combinator often backs startups that duplicate other YC companies, data shows — it’s not just AI code editors

The Silicon Valley dream is to build a tech startup that is such a unique idea it...

Hyundai and Kia recall 208,000 EVs

Hyundai, Kia, and Genesis are recalling about 208,000 EVs in the United States due to an issue...

Money for tech that matters

Welcome to Startups Weekly — your weekly recap of everything you can’t miss from the world of startups. If you’d like to receive this...