'Fireball' malware infects 250 million PCs, one in five corporate networks affected

Web tracking adware that a Chinese marketing company has installed on millions of PCs could be used to steal passwords, leak data, or install malware. 

Security researchers at Check Point have called out a digital marketing firm and mobile app maker Rafotech over its software, which hijacks victims’ browsers and exposes infected machines further malware installs. 

The browser hijacking software, dubbed Fireball, switches the users preferred search engine fake search engine that contains code to track the user's web activity. 

Though web tracking software isn't unusual, CheckPoint notes that Rafotech's browser extension allows the marketing firm -- and potentially any third-party -- to install programs of their choice on the user's computer.

Rafotech's fake search engine merely runs search queries through Yahoo's or Google's legitimate search engines. However, the fake search engine includes pixels that are used to track a user's actions from one site to the next. 

Where Rafotech gets into shadier parts of online marketing is how it distributes its software. It appears that most of the 250 million victims have inadvertently infected themselves with Fireball by downloading a desired programs, such as a product called Deal Wifi’, which offers secure and free wifi. Rafotech bundles Fireball with these and other products from the firm, including the Mustang Browser, Soso Desktop, and FVP Imageviewer. 

One of the major risks identified by Check Point is that every Fireball installation is a backdoor. As a browser extension, Fireball also gives Rafotech the capability to send users to a malicious site.

“Although Rafotech uses Fireball only for advertising and initiating traffic to its fake search engines, it can perform any action on the victims’ machines,” Check Point’s researchers wrote. 

Check Point claims that the malware could be used to cause a data breach at 20 percent of the world’s corporate networks. This could expose financial details, business documents, and health records. 

“It doesn’t take much to imagine a scenario in which Rafotech decides to harvest sensitive information from all of its infected machines, and sell this data to threat groups or business rivals,” the security firm notes.  

India represents 10.1 percent of the 250 million Fireball infection, followed by Brazil at 9.6 percent, Mexico at 6.4 percent, and Indonesia at 5.2 percent. infections in the US are low at 2.2 percent, however the US represented 10.7 percent of affected corporate networks.    

Rafotech had not responded to an inquiry by CSO Online at the time of publication.  

Tags malwarecheck pointadwareCheckpointRafotechmarketing company

Show Comments