A company named FUNNULL purchased Polyfill.io and used the domain to push malware to potentially millions of websites and their visitors. [Image: Shutterstock.com]

Open-source JavaScript library becomes mayhem

An open-source JavaScript library empowered websites to enable outdated browsers to run features contained in newer browsers. The potential benefit of such a feature, however, became tarnished when a company named FUNNULL purchased Polyfill.io and used the domain to push malware to potentially millions of websites and their visitors.

it appeared to be a ‘laughably bad’ attempt at monetization”

The original Polyfill author warned users that he never owned the Polyfill.io domain. He recommended that websites remove the code completely to avoid just the sort of scam that new domain owners now used the code to implement. Though no one is quite clear why the attack was put into motion, TechCrunch reports that “Willem de Groot, the founder of Sansec, wrote on X at the time that it appeared to be a ‘laughably bad’ attempt at monetization.”

Malware redirected users to malicious sites

According to a researchers’ report from Silent Push, malware injections were used to “redirect visitors to that malicious network of casinos and online gambling sites.”

Zach Edwards, a senior threat analyst and one of the researchers who worked on the Silent Push report, told TechCrunch: “It appears likely that this ‘online gambling network’ is a front,” adding that FUNNULL is “operating what appears to be one of the largest online gambling rings on the internet.”

the websites were designed “to impersonate online gambling and casino brands”

The scam was hardly sophisticated. The Silent Push report said that around 40,000 mostly Chinese-language websites were hosted by FUNNULL, with all of them utilizing domains that appeared to be automatically generated, each made up of what looked like random letters and numbers. The websites were designed “to impersonate online gambling and casino brands, including Sands, a casino conglomerate that owns Venetian Macau; the Grand Lisboa in Macau; SunCity Group; as well as the online gambling portals Bet365 and Bwin.”

Chris Alfred, a spokesperson for Entain, Bwin’s parent company, told TechCrunch: “… [the company] can confirm that this is not a domain we own, so it appears the site owner is infringing on our Bwin brand, so we will be taking action to resolve this.”

Money laundering scheme

Edwards told TechCrunch that FUNNULL appears to be using their operation for what the FUNNULL developer’s GitHub describes as “money-moving,” which Edwards believes refers to money laundering. Edwards said: “And those sites are all for moving money, or is their primary purpose.”

TechCrunch made repeated attempts to contact representatives at FUNNULL, but each attempt came up empty or frustrated. TechCrunch reports that FUNNULL’s website “lists an email address that does not exist; a phone number that the company claims to be on WhatsApp, but could not be reached; the same number which on WeChat appears to be owned by a woman in Taiwan with no affiliation to FUNNULL; a Skype account that did not respond to our requests for comment; and a Telegram account that only identifies itself as ‘Sara.’”

While Sara initially responded to TechCrunch’s request for comment, the response was not substantial, saying only that they “did not understand” and then terminating the conversation.

the next attack could be “much worse”

TechCrunch warns that while the attack this time was limited to installing malware and redirecting users to fake gambling and casino websites, the next attack could be “much worse.”

TechCrunch said: “These kinds of supply chain attacks are increasingly possible because the web is now a complex global network of websites that are often built with third party tools, controlled by third parties that, at times, could turn out to be malicious.”

Next time, the attack could install even more malicious programming, such as ransomware, wiper malware, or spyware.