Bad actors take over a widely used JavaScript library and deliver malware to 100K+ websites
If you noticed your favorite e-commerce site was suddenly serving phishing redirects, you’re sadly not alone. More than 100K websites—publishers, e-commerce sites, retailers, major brands, and more—have begun serving malware after threat actors bought a popular open-source JavaScript library to distribute their vile code.
Polyfill[.]js is used by websites to support older browsers via integrating the domain polyfill[.]io. In February, the expiring Polyfill domain was acquired by a Chinese company, which has since been injecting malware onto mobile devices through any site which leverages polyfill[.]io. It appears the domain was purchased specifically to spread malware through legit sites and advertising—and it’s working.
The redirect code executed by Polyfill in the most recent attack.
All websites utilizing the polyfill[.]io domain should remove it immediately. CloudFlare and Fastly have developed patches; Fastly, has taken a snapshot of the code before it was sold and is hosting it here (https://polyfill-fastly.io).
Preventing New Outbreaks
Threat actors are notorious for compromising open-source JavaScript libraries, the root of major attacks like MimicManager, which turns legit advertisers into malvertisers. But this PolyFill takes a page from living dead AdTech attacks, where threat actors buy defunct AdTech company domains deeply lodged in advertiser, e-commerce, and media publishers sites, and then use it to streamline phishing redirects.
These kind of attacks are going to become more common. They’re particularly difficult to detect from inside an organization; typical cybersecurity services struggle to find such compromises because malware delivery uses advanced targeting to just execute on desired devices or other parameters.
But businesses need to find these attacks and vulnerabilities before customers start screaming at them, ad campaigns are shut down, and sales and business fall off a cliff. The best solution is regular third-party, client-side scrutiny of your properties using a variety of devices and profiles to recreate true consumer experience. This of course will also help you monitor vendor activity, regulatory compliance, and ensure you’re meeting customer privacy requirements.
