{ "type": "URL", "indicator": "https://www.googie-anaiytics.com/ga.js", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.googie-anaiytics.com/ga.js", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3911834183, "indicator": "https://www.googie-anaiytics.com/ga.js", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "667d5bd4a98d33d3486fff19", "name": "Polyfill supply chain attack hits 100K+ sites", "description": "A malicious Chinese entity acquired control over the popular Polyfill JS open-source project and has been injecting malware into over 100,000 websites that embed the polyfill.io content delivery network. The malware redirects mobile users to a fraudulent sports betting site hosted on a domain impersonating Google Analytics. The attack employs various evasion techniques and targets specific devices and time windows. While trustworthy alternatives are available, it's recommended to remove any references to polyfill.io from your codebase as the library is no longer necessary for modern browsers.", "modified": "2024-06-27T12:36:54.510000", "created": "2024-06-27T12:32:20.075000", "tags": [ "polyfill.js", "malvertising", "supply chain", "redirection" ], "references": [ "https://sansec.io/research/polyfill-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "polyfill.js", "display_name": "polyfill.js", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1036.003", "name": "Rename System Utilities", "display_name": "T1036.003 - Rename System Utilities" }, { "id": "T1557.002", "name": "ARP Cache Poisoning", "display_name": "T1557.002 - ARP Cache Poisoning" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 384, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 2, "hostname": 2 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386482, "modified_text": "702 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6697c3a1751a544866980886", "name": "Malware called Poly fill JS Library Injected into 100 Websites", "description": "", "modified": "2024-07-17T13:14:09.664000", "created": "2024-07-17T13:14:09.664000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "hostname": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "682 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667eb57494f8692a2889b88b", "name": "Polyfill supply chain attack hits 100K+ sites", "description": "", "modified": "2024-06-28T13:07:00.349000", "created": "2024-06-28T13:07:00.349000", "tags": [ "kuurzabitget", "polyfill", "update june", "scan", "google", "sansec watch", "product pricing", "june", "cloudflare", "sansec", "date", "magento", "february", "win32", "window" ], "references": [ "https://sansec.io/research/polyfill-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 8, "hostname": 4 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "701 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667bfe48d017f87b1f475fd7", "name": "Polyfill supply chain attack hits 100K+ sites", "description": "A security firm, Sansec Forensics, has decoded malware injected into more than 100,000 web sites by the new owner of the Polyfill JS project, which inject malware into users' devices.", "modified": "2024-06-26T11:40:56.230000", "created": "2024-06-26T11:40:56.230000", "tags": [ "kuurzabitget", "polyfill", "scan", "google", "sansec watch", "product pricing", "update june", "sansec", "iswin", "0x5ae1f8", "date", "magento", "june", "february", "win32", "window" ], "references": [ "https://sansec.io/research/polyfill-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 2, "hostname": 3 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "703 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://sansec.io/research/polyfill-supply-chain-attack" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Polyfill.js" ], "industries": [], "unique_indicators": 7 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 17 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/googie-anaiytics.com", "whois": "http://whois.domaintools.com/googie-anaiytics.com", "domain": "googie-anaiytics.com", "hostname": "www.googie-anaiytics.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "667d5bd4a98d33d3486fff19", "name": "Polyfill supply chain attack hits 100K+ sites", "description": "A malicious Chinese entity acquired control over the popular Polyfill JS open-source project and has been injecting malware into over 100,000 websites that embed the polyfill.io content delivery network. The malware redirects mobile users to a fraudulent sports betting site hosted on a domain impersonating Google Analytics. The attack employs various evasion techniques and targets specific devices and time windows. While trustworthy alternatives are available, it's recommended to remove any references to polyfill.io from your codebase as the library is no longer necessary for modern browsers.", "modified": "2024-06-27T12:36:54.510000", "created": "2024-06-27T12:32:20.075000", "tags": [ "polyfill.js", "malvertising", "supply chain", "redirection" ], "references": [ "https://sansec.io/research/polyfill-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "polyfill.js", "display_name": "polyfill.js", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1036.003", "name": "Rename System Utilities", "display_name": "T1036.003 - Rename System Utilities" }, { "id": "T1557.002", "name": "ARP Cache Poisoning", "display_name": "T1557.002 - ARP Cache Poisoning" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 384, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 2, "hostname": 2 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386482, "modified_text": "702 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6697c3a1751a544866980886", "name": "Malware called Poly fill JS Library Injected into 100 Websites", "description": "", "modified": "2024-07-17T13:14:09.664000", "created": "2024-07-17T13:14:09.664000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "hostname": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "682 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667eb57494f8692a2889b88b", "name": "Polyfill supply chain attack hits 100K+ sites", "description": "", "modified": "2024-06-28T13:07:00.349000", "created": "2024-06-28T13:07:00.349000", "tags": [ "kuurzabitget", "polyfill", "update june", "scan", "google", "sansec watch", "product pricing", "june", "cloudflare", "sansec", "date", "magento", "february", "win32", "window" ], "references": [ "https://sansec.io/research/polyfill-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 8, "hostname": 4 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "701 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667bfe48d017f87b1f475fd7", "name": "Polyfill supply chain attack hits 100K+ sites", "description": "A security firm, Sansec Forensics, has decoded malware injected into more than 100,000 web sites by the new owner of the Polyfill JS project, which inject malware into users' devices.", "modified": "2024-06-26T11:40:56.230000", "created": "2024-06-26T11:40:56.230000", "tags": [ "kuurzabitget", "polyfill", "scan", "google", "sansec watch", "product pricing", "update june", "sansec", "iswin", "0x5ae1f8", "date", "magento", "june", "february", "win32", "window" ], "references": [ "https://sansec.io/research/polyfill-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 2, "hostname": 3 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 71, "modified_text": "703 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.googie-anaiytics.com/ga.js", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.googie-anaiytics.com/ga.js", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780205851.403714 }