A malware attack dubbed Fireball has infected more than 250 million computers worldwide and is redirecting web browsers on compromised machines to generate revenue for its attackers.
First discovered by cybersecurity firm Check Point Threat Intelligence, the browser-hijacking malware attack of Chinese origin has reportedly spread to 20 percent of corporate computer networks.
Fireball can affect a victim’s device in two ways. The first is by taking over a computer’s web browser and turning it into an ad-clicking machine by opening up web pages owned by the attackers and automatically clicking through on ads on the page to generate revenue.
The second is by expanding its own presence on the machine by downloading additional software. Fireball has been spotted downloading browser plug-ins and other apps that further serve to help increase the attacker’s profits. It also opens the door to the possibility of spreading other malware onto the device.
According to Check Point, Fireball is the work of a Beijing-based digital marketing agency called Rafotech. The company maintains an buttoned up front, but behind the scenes is using the malware to increase its standing. Fireball changes browser search engines to ones operated by Rafotech and redirects traffic to websites the company owns.
The phony search engines are built with tracking pixels—tiny, invisible images embedded on a page that are used to monitor and track user activity—that gather personal information from the user for the marketing firm.
Check Point calls the scope of Fireball “alarming.” The security researchers found the malware on more than a quarter-billion computers worldwide. India has been hit the hardest, with 10.1 percent of all infections located in the country, followed by Brazil with 9.6 percent. More than 5.5 million infections have been spotted in the United States.
The attack has always found its way onto one in five corporate computer systems, including 10.7 percent of business networks in the United States. In Indonesia, 60 percent of corporate networks have been infected.
It is believed that Fireball has spread not through malicious attacks but through relatively conventional means. Most infections appear to be the results of “bundling,” where unrelated or unwanted software is packaged with other downloads. Fireball comes attached with other legitimate downloads.
Fireball isn’t just widespread—it’s also very effective at accomplishing its task. Amazon-owned web traffic tracking website Alexa has noted 14 fake search engines run by Rafotech—the perpetrators of the malware—have jumped into the top 10,000 most visited websites, with some cracking the top 1,000.
Unlike an attack like WannaCry, which made its presence known on machines with its ransom messages, Fireball operates primarily in the background and is unlikely to go out of its way to draw attention to its behavior so it can continue operating as long as possible. That doesn’t make the attack any less dangerous for users, who are left at risk for further attacks.