One of the biggest digital supply chain attacks this year was launched by a little-known company that redirected large numbers of internet users to a network of copycat gambling sites, according to security researchers.
Earlier this year, a company called FUNNULL purchased Polyfill.io. Polyfill.io is a domain that hosts open source JavaScript libraries that allow older browsers to perform functionality found in newer browsers when embedded in a website. As cybersecurity firm Sansec reported in June, once FUNNULL took control of Polyfill.io, it effectively used the domain to carry out supply chain attacks. FUNNULL then hijacked the legitimate service and leveraged its access to potentially millions of websites to push malware. visitor.
During the Polyfill.io takeover, the original Polyfill creator warned that he did not own the Polyfill.io domain and told the website that he would permanently remove the hosted Polyfill code to avoid any risks. proposed. Additionally, content delivery network providers Cloudflare and Fastly have published their own mirrors of Polyfill.io to provide a safe and reliable alternative for websites that wish to continue using the Polyfill library.
The exact purpose of the supply chain attack is unclear, but Sunsec founder Willem de Groot wrote to X at the time that it appeared to be a “laughingly egregious” attempt at monetization.
Now, security researchers at Silent Push say they have mapped out a network of thousands of Chinese gambling sites and linked it to the FUNNULL and Polyfill.io supply chain attacks.
According to a researcher's report previously shared with TechCrunch, FUNNULL uses access to Polyfill.io to inject malware and redirect website visitors to a malicious network of casinos and online gambling sites. It is said that he was
“It seems likely that this 'online gambling network' is a front,” Zach Edwards, a senior threat analyst and one of the researchers behind the Silent Push report, told TechCrunch. Edwards added that FUNNULL “operates what is believed to be one of the largest online gambling rings on the Internet.”
Silent Push researchers said in their report that they were able to identify approximately 40,000 primarily Chinese-language websites hosted by FUNNULL. These websites all have similar domains, consisting of a seemingly random smattering of letters and numbers, likely auto-generated. The sites appeared to impersonate online gambling and casino brands, including Sands, the casino conglomerate that owns the Venetian Macau. Grand Lisboa in Macau. Suncity Group; as well as online gambling portals Bet365 and Bwin.
Screenshot of one of the thousands of spam online gambling websites hosted on FUNNULL's CDN. (Image: TechCrunch)
Chris Alfred, a spokesperson for Entain, Bwin's parent company, told TechCrunch that the company “can confirm that this is not a domain we own, and that the site owner is infringing on our Bwin brand.” “We are determined to take action to resolve the issue.” this. “
Sands, Suncity Group, Macau Grand Lisboa and Bet365 did not respond to multiple requests for comment.
Edwards told TechCrunch that he and his colleagues found a FUNNULL developer's GitHub account where they were discussing “money transfers.” They believe this expression refers to money laundering. The GitHub page also included references to gambling brands spoofed on a network of spam sites, as well as links to Telegram channels with topics about transferring funds.
“And all of those sites are about moving money, that's their primary purpose,” Edwards said.
According to Edwards and his colleagues, this network of suspicious sites is hosted on FUNNULL's Content Delivery Network (CDN), and although the website claims to be “Made in the USA,” it has sites in Canada, Malaysia, the Philippines, The address of several offices in Singapore and Switzerland is said to be listed. And all of the United States looks like a place that doesn't have an address listed in the real world.
In its profile for gambling industry hub HUIDU, FUNNULL claims to have “more than 30 data centers on the continent,” likely referring to mainland China, and that it has “high-security automated server rooms in China.” states.
Despite being ostensibly a technology company, FUNNULL makes it difficult to reach representatives. TechCrunch attempted to contact the company for comment and ask questions about its role in the apparent supply chain attack, but inquiries went unanswered.
FUNNULL's website lists an email address that does not exist. A phone number that the company claims is registered with WhatsApp but could not be reached. The same number on WeChat appears to be owned by a Taiwanese woman who has no connection to FUNNULL. The Skype account did not respond to our request for comment. The other is a Telegram account that identifies herself only as “Sarah” and has the FUNNULL logo as her avatar.
Telegram's “Sarah” stopped responding to TechCrunch's requests for comment on this article in Chinese and English, including a series of questions, saying, “We don't understand what you said.” TechCrunch was also able to identify a series of valid email addresses owned by FUNNULL, none of which responded to requests for comment.
A company called ACB Group claimed to own FUNNULL on an archived version of its official website, but it is now offline. TechCrunch was unable to contact ACB Group.
Since FUNNULL has access to millions of websites, it can launch even more dangerous attacks against spam website visitors, such as installing ransomware, wiper malware, or spyware. The web is now a complex global network of websites, often built with third-party tools and controlled by third parties, and in some cases can prove to be malicious. This type of supply chain attack is becoming more and more likely.
The goal this time was apparently to monetize a network of spam sites. It could be worse next time.