Security Week, June 6, 2017 - A newly discovered piece of malware managed to infect more than 250 million computers in a widespread campaign run by a Chinese digital marketing agency, Check Point researchers warn.
Dubbed Fireball, the malware can take over the targeted browser, run arbitrary code on a victim’s computer, and spy on victims. Thus, its operators can download any file or malware onto the machine, and can also manipulate the infected user’s web traffic to generate ad revenue.
“Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware,” Check Point says.
The campaign, the security company reveals, is run by a large digital marketing agency based in Beijing, called Rafotech. With the help of this malware, the agency manipulates the victims’ browsers to turn search engines and home-pages into fake search engines, redirect queries to Yahoo.com or Google.com, and collect victims’ private information via tracking pixels included in the fake search engines.
Rafotech’s fake search engines have high popularity, with 14 of them ranked among the top 10,000 websites, some occasionally reaching top 1,000. Despite denying the use of browser-hijackers and fake search engines, Rafotech claims to have 300 million users worldwide, a number similar to the estimated infections.
To date, Fireball has infected over 250 million computers worldwide, being distributed mainly bundled with legitimate programs. India (25.3 million infections) and Brazil (24.1 million) were hit the most, followed by Mexico (16.1 million), and Indonesia (13.1 million). A total of 5.5 million infected machines are located in the United States.
Check Point also says that 20% of all corporate networks have been affected. Indonesia (60%), India (43%) and Brazil (38%) were hit the most. The hit rate in the US is of 10.7%, while reaching only 4.7% in China.