One of the biggest digital supply chain attacks of the year was launched by a little-known company that redirected large numbers of internet users to a network of copycat gambling sites, according to security researchers.
Earlier this year, a company called FUNNULL purchased Polyfill.io, a domain hosting an open source JavaScript library that -- if embedded in websites -- can allow outdated browsers to run features found in newer browsers. Once in control of Polyfill.io, FUNNULL used the domain to essentially carry out a supply chain attack, as cybersecurity firm Sansec reported in June, where FUNNULL took over a legitimate service and abused its access to potentially millions of websites to push malware to their visitors.
At the time of the Polyfill.io takeover, the original Polyfill author warned that he never owned the Polyfill.io domain and suggested websites remove the hosted Polyfill code completely to avoid risks. Also, content delivery network providers Cloudflare and Fastly put out their own mirrors of Polyfill.io to offer a safe trusted alternative for websites that wanted to keep using the Polyfill library.
It's unclear what the goal of the supply chain attack was exactly, but Willem de Groot, the founder of Sansec, wrote on X at the time that it appeared to be a "laughably bad" attempt at monetization.
Now, security researchers at Silent Push say they mapped out a network of thousands of Chinese gambling sites and linked it to FUNNULL and the Polyfill.io supply chain attack.
According to the researchers' report, which was shared with TechCrunch in advance, FUNNULL was using its access to Polyfill.io to inject malware and redirect website visitors to that malicious network of casino and online gambling sites.
"It appears likely that this 'online gambling network' is a front," Zach Edwards, a senior threat analyst and one of the researchers who worked on the Silent Push report, told TechCrunch. Edwards added that FUNNULL is "operating what appears to be one of the largest online gambling rings on the internet."
Silent Push researchers said in their report that they were able to identify around 40,000 mostly Chinese-language websites hosted by FUNNULL, all with similarly looking and likely automatically generated domains made up ...