One of the largest digital supply chain attacks this year was made by a relatively unknown company that directed large crowds of internet users to a network of copycat gambling sites, according to security researchers.
Earlier this year, a company called FUNNULL purchased Polyfill.io-a domain hosting an open-source JavaScript library that-if embedded in websites-can allow outdated browsers to run features found in newer browsers. According to a report in June by cybersecurity firm Sansec, once in control of Polyfill.io, FUNNULL made use of the domain to essentially conduct a supply chain attack, hijacking a legitimate service and making use of its access to potentially millions of websites to push malware to their visitors. At the time of takeover, the original Polyfill author warned that he never owned the Polyfill.io domain and suggested sites remove the hosted Polyfill code entirely for their own safety. Additionally, content delivery network providers Cloudflare and Fastly put out their own mirrors of Polyfill.io to offer a safe trusted alternative for sites that wanted to keep using the Polyfill library.
It is not clear what exactly the point of the supply chain attack was, but Willem de Groot, founder of Sansec, posted on X at the time as saying that it looked to be a "laughably bad" monetization attempt.
Silent Push security researchers now claim that they mapped out a network of thousands of Chinese gambling sites and linked it to FUNNULL and the Polyfill.io supply chain attack.
According to the report shared with TechCrunch by the researchers in advance, FUNNULL was using their access on Polyfill.io to inject malware and steal website visitors and move them towards that malicious network of casino and online gambling sites.
It "seems to be probably a front by this 'online gambling network," a senior threat analyst and one of the researchers who worked on the Silent Push report, told TechCrunch. Edwards further added that FUNNULL is "operating what appears to be one of the largest online gambling rings on the internet".
But Silent Push researchers said in their report that they were able to identify around 40,000 mostly Chinese-language websites hosted by FUNNULL-all with similarly looking and likely automatically generated domains made up of a scattering of seemingly random letters and numbers.
The websites seemed to emulate online gambling and casino brands, like Sands, a casino group that owns Venetian Macau, the Grand Lisboa in Macau, and SunCity Group; besides the online gambling portals Bet365 and Bwin. Entain, the parent company of Bwin, had a spokesperson in Chris Alfred who said to TechCrunch "can confirm that this is not a domain we own so it appears the site owner is infringing on our Bwin brand so we will be taking action to resolve this."
Sands, SunCity Group, Macau Grand Lisboa, and Bet365 did not reply to multiple requests for comments.
According to TechCrunch, Edwards and his colleagues stumbled upon a GitHub account of a FUNNULL developer who was talking about "money-moving" - the men believe this is how money laundering is defined. The links on the GitHub page also drove the men to Telegram channels, which had references to the gambling brands that were impersonated in the network of spammy sites, as well as conversations about money movement.
"And those sites are all for moving money, or is their primary purpose," said Edwards.
Edwards and his colleagues note that the questionable network of sites, hosted on the CDN, claims to be "Made in USA" but shows several office addresses in Canada, Malaysia, the Philippines, Singapore, Switzerland, and the United States, all of which appear to be places lacking a real-world address.
On its profile on HUIDU, a hub for the gambling industry, FUNNULL says it has "more than 30 data centers on the continent, probably mainland China, and that it has a "high-security automated server room in China".
For a supposedly tech company, FUNNULL makes its representatives unreachable. TechCrunch tried to contact the company in order to get a comment and to ask it questions regarding its role in the apparent supply chain attack but received no responses to our inquiries.
On its website, FUNNULL provides an email address that doesn't work; a phone number that purportedly sits on the WhatsApp of the company but unreachable; the same number which on WeChat carries an identifier of a woman in Taiwan who isn't interested in the existence of FUNNULL; didn't respond to our messages through Skype account; and Telegram account that only says "Sara", with the logo of FUNNULL on her profile picture.
Sara" of Telegram commented back on a request for comment — sent by TechCrunch in both Chinese and English — containing a series of questions for this article, saying: "We don't understand what you said," and stopped answering. TechCrunch was able to identify a series of valid FUNNULL-owned email addresses, none of which responded to requests for comment. A firm called the ACB Group-according to what its official website looks like from an archived version of the webpage, now offline-apported to own FUNNULL. TechCrunch did not reach the ACB Group.
Of course, with the ability to reach into millions of websites, FUNNULL might well have mounted a much more malicious assault - for instance, by installing ransomware or wiper malware or spyware - against the users of spammy websites. Such supply chain attacks are also becoming increasingly plausible because the web is now such a vast global network of largely unrelated websites built with third-party tools and controlled by third parties that, at times, might turn out to be malicious.
This time around, the apparent objective was monetizing a network of spammy sites. Next time, it may turn out much worse.