How a Little-Known Company Hijacked Millions of Websites for a Gambling Empire
A seemingly innocuous company named FUNNULL pulled off one of the biggest digital supply chain attacks of the year, redirecting a massive number of internet users to a network of fake gambling sites. This revelation comes from cybersecurity researchers at Silent Push, who uncovered a sprawling operation built on compromised trust.
The Polyfill.io Takeover
It all started with Polyfill.io, a legitimate domain hosting an open-source JavaScript library. This library helps outdated browsers run features found in newer browsers, making websites more accessible. Earlier this year, FUNNULL acquired Polyfill.io and used its control of this essential tool to launch a supply chain attack.
As cybersecurity firm Sansec reported in June, FUNNULL injected malware and redirection code into Polyfill.io, compromising potentially millions of websites that relied on its services. The original Polyfill author warned website owners to remove the hosted code to avoid risks, and CDN providers like Cloudflare and Fastly even offered safe mirrors of Polyfill.io.
A Network of Thousands of Fake Gambling Sites
Silent Push researchers discovered that FUNNULL was using its access to Polyfill.io to redirect users to a massive network of thousands of Chinese-language gambling websites, impersonating well-known brands like Sands, Grand Lisboa, SunCity Group, Bet365, and Bwin. These sites, mostly randomly generated with similar designs, appear to be a front for a much larger operation.
Money Laundering Suspicions
Silent Push researchers found a FUNNULL developer’s GitHub account that discussed “money-moving,” a term often associated with money laundering. The account also linked to Telegram channels mentioning the impersonated gambling brands and discussions about financial transactions.
“And those sites are all for moving money, or is their primary purpose,” said Zach Edwards, a senior threat analyst at Silent Push.
FUNNULL: A Riddle Wrapped in Mystery
FUNNULL’s website claims to be “Made in USA” but lists multiple international office addresses, many of which appear to be nonexistent. Reaching out to FUNNULL has been difficult, with unresponsive email addresses, a WhatsApp number that doesn’t connect, and a Skype account that went silent.
An archived version of ACB Group’s website, which now appears to be offline, claimed ownership of FUNNULL. However, ACB Group could not be reached for comment.
The Future of Supply Chain Attacks
This case highlights the increasing danger of supply chain attacks. With the web’s interconnected nature, malicious actors can exploit vulnerabilities in seemingly innocuous tools like Polyfill.io to compromise a vast number of websites and users.
The consequences could be far worse than redirecting users to spammy gambling sites. Imagine ransomware, data wipers, or spyware silently installed on millions of computers. The potential damage is immense.
It’s crucial for website owners to stay vigilant, regularly update their software, and carefully vet the third-party tools they use. The trust we place in these tools can be easily exploited, and the consequences can be devastating.
Stay Informed and Protect Yourself
Stay up-to-date on the latest cybersecurity threats and best practices to protect your online security.