28 June 2024

Supply chain attack leaves websites compromised

In summary

• A major supply chain attack has affected many websites relying on third-party web providers like Polyfill.io, Bootcss.com, Bootcdn.net, and Staticfile.org
• Malicious actors have altered scripts in these services to redirect visitors to unauthorised and potentially harmful sites without the website owners’ consent
• The incident highlights vulnerabilities in third-party services and stresses the need for vigilance in securing web resources. Website owners should conduct thorough code checks, remove compromised libraries, and switch to secure alternatives to mitigate risks and adhere to ad policies

Supply chain attack by the Polyfill.io service

A recent supply chain attack has compromised over 100,000 websites through the widely used Polyfill.io service. This attack, linked to several third-party web resource providers, has prompted Google to issue warnings to advertisers due to the potential redirection of visitors to malicious sites.

What is the impact on Google Ads?

Google has begun notifying advertisers about the security issue, emphasising the potential impact of the code on ad destinations. Google’s ad policy does not allow any redirection to non-compliant content or malicious website.

If Google detects these unauthorised redirects during their regular checks, the related ads will be disapproved under Google’s Compromised Sites Policy. This policy aims to protect users from being redirected to potentially harmful web experiences.

Details of the supply chain attack

What do tools like Polyfill do?

Polyfill.io is a popular service used by hundreds of thousands of websites to maintain browser compatibility.

Polyfill is a piece of code, typically JavaScript, that adds modern functionality to older browsers that do not support them. This ensures compatibility across different browsers, allowing websites to use the same codebase for both old and new features.

The compromise of Polyfill.io

Polyfill.io was recently acquired by a Chinese company named Funnull. After the acquisition, the script provided by Polyfill.io was modified to include malicious code, leading to a widespread supply chain attack.

Cybersecurity company Sansec reported that the compromised Polyfill.io script started injecting malware into websites, particularly affecting mobile devices. This malicious code redirected visitors to scam sites, often without the website owner’s knowledge. The code is designed to be resistant to reverse engineering and only activates under specific conditions, such as on certain mobile devices and at particular times.

What other services have been affected by the attack?

Other third-party web resource providers involved in this attack include:

• Bootcss.com
• Bootcdn.net
• Staticfile.org

These providers have similarly been found to contain malicious code that causes unauthorised redirects.

What should advertisers do immediately

1. Investigate website’s code
   Advertisers are advised to review their websites to determine if they are using any of the compromised libraries including Polyfill.io, Bootcss.com, Bootcdn.net, or Staticfile.org . This can be done by checking the website’s code or consulting with the website administrator.

2. Remove or replace compromised code
   If compromised libraries are found, advertisers should remove or replace compromised code.
   
   Cloudflare’s secure mirror on cdnjs is one option to mitigate security risks and prevent further malicious activities. This can be actioned regardless of whether the website is using Cloudflare’s services.

3. Resubmit ads for review
   Once the issue is resolved, advertisers should resubmit any disapproved ads for Google’s review. This ensures that the ads comply with Google’s policies and can be reinstated without posing risks to users.

4. Monitor performance metrics
   Check for any decrease in key performance metrics such as conversion rate and quality score recently. Use Google Analytics to gain deeper insights and identify suspicious activity. If users are being redirected to other pages after clicking on your ads, you should notice decreased activity in Google Analytics, along with a drop in conversion rate and quality score.

Supply chain attacks on the rise

This attack shares similarities with the XZ Utils backdoor incident, as both involve sophisticated, long-term infiltration of widely used software. Both incidents highlight the growing threat of supply chain attacks and the need for robust security measures in software development and maintenance.

Need more help?

Get in touch to discuss how we can help you or sign up to our newsletter to receive the latest industry updates in your inbox.