'Fireball' malware infects 250 million PCs, one in five corporate networks affected

Web tracking adware that a Chinese marketing company has installed on millions of PCs could be used to steal passwords, leak data, or install malware. 

Security researchers at Check Point have called out a digital marketing firm and mobile app maker Rafotech over its software, which hijacks victims’ browsers and exposes infected machines further malware installs. 

The browser hijacking software, dubbed Fireball, switches the users preferred search engine fake search engine that contains code to track the user's web activity. 

Though web tracking software isn't unusual, CheckPoint notes that Rafotech's browser extension allows the marketing firm -- and potentially any third-party -- to install programs of their choice on the user's computer.

Rafotech's fake search engine merely runs search queries through Yahoo's or Google's legitimate search engines. However, the fake search engine includes pixels that are used to track a user's actions from one site to the next. 

Where Rafotech gets into shadier parts of online marketing is how it distributes its software. It appears that most of the 250 million victims have inadvertently infected themselves with Fireball by downloading a desired programs, such as a product called Deal Wifi’, which offers secure and free wifi. Rafotech bundles Fireball with these and other products from the firm, including the Mustang Browser, Soso Desktop, and FVP Imageviewer. 

One of the major risks identified by Check Point is that every Fireball installation is a backdoor. As a browser extension, Fireball also gives Rafotech the capability to send users to a malicious site.

“Although Rafotech uses Fireball only for advertising and initiating traffic to its fake search engines, it can perform any action on the victims’ machines,” Check Point’s researchers wrote. 

Check Point claims that the malware could be used to cause a data breach at 20 percent of the world’s corporate networks. This could expose financial details, business documents, and health records. 

“It doesn’t take much to imagine a scenario in which Rafotech decides to harvest sensitive information from all of its infected machines, and sell this data to threat groups or business rivals,” the security firm notes.  

India represents 10.1 percent of the 250 million Fireball infection, followed by Brazil at 9.6 percent, Mexico at 6.4 percent, and Indonesia at 5.2 percent. infections in the US are low at 2.2 percent, however the US represented 10.7 percent of affected corporate networks.    

Rafotech had not responded to an inquiry by CSO Online at the time of publication.  

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags malwarecheck pointadwareCheckpointRafotechmarketing company

More about Check PointCSOGoogleYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts