AppsFlyer's Web SDK was compromised via a domain registrar incident, leading to the injection of malicious JavaScript. This code was delivered to thousands of customer websites and applications, where it intercepted and replaced cryptocurrency wallet addresses entered by users, diverting funds to the attackers and exfiltrating original wallet details.
Initial Access
Domain Registrar Hijack
confirmed
Threat actors gained unauthorized access to AppsFlyer's domain registrar, enabling them to control the 'websdk.appsflyer.com' domain.
Defender cut points
Implement strong multi-factor authentication (MFA) for domain registrar accounts.Regularly audit domain registration settings and access logs.Utilize domain lock features to prevent unauthorized changes.
