Story image

Digital marketing agency unleashes Fireball malware on 250 million computers

06 Jun 2017

A new browser hijacker malware called Fireball is taking over 250 million computers and has already infiltrated 20% of corporate networks worldwide, according to the latest statistics from Check Point.

The Fireball malware works by taking over target browsers and turning them into 'zombies'. It can then run any code on the zombie computers, download further malware and manipulating web traffic to generate ad revenue, Check Point reports.

Check Point says the malware can also spy on victims and execute the malicious code. So far it has embedded itself in machines through bundling - in which unwanted software is installed alongside authorised software, but often without the user's consent. So far the malware has been pinpointed to bundled installations of Deal Wifi, Mustang Browser, Soso Desktop, FVP Imageviewer and others.

The Fireball malware has spread worldwide including in Australia, New Zealand and Asia, however India has been most heavily infected. 44% of India's corporate networks have at least one infected machine on their network.

However it's not hooded hackers behind the malware but a digital marketing agency by the name of Rafotech, which is based in Beijing.

The company designed the malware to manipulate browsers, change search engines, homepages, track pixels and collect users' private information.

"Ironically, although Rafotech doesn’t admit it produces browser-hijackers and fake search engines, it does (proudly) declare itself a successful marketing agency, reaching 300 million users worldwide – coincidentally similar to our number of estimated infections," Check Point's blog says.

The company believes that the Fireball malware uses digital certificates, making it one of the few malware-adware campaigns that is both malicious and legitimate.

"According to our analysis, Rafotech’s distribution methods appear to be illegitimate and don’t follow the criteria which would allow these actions to be considered naïve or legal. The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user, and they conceal their true nature," the blog continues.

The information Rafotech collects could potentially be sold to third parties. That information can include medical information, search history, credit card details and much more.

Check Point advises users to check if they're able to change their home page and default search engines in their web browsers. If not, it is likely they have been infected with malware.

To remove almost any adware, follow these simple steps:

Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.

For Mac OS users:

Use the Finder to locate the Applications

Drag the suspicious file to the Trash.

Empty the Trash.

Note – A usable program is not always installed on the machine and therefore may not be found on the program list.

Scan and clean your machine, using:

  • Anti-Malware software
  • Adware cleaner software

Remove malicious Add-ons, extensions or plug-ins from your browser:

On Google Chrome:

a.       Click the Chrome menu icon and select Tools > Extensions.

b.      Locate and select any suspicious Add-ons.

c.       Click the trash can icon to delete.

On Internet Explorer:

a.       Click the Setting icon and select Manage Add-ons.

b.      Locate and remove any malicious Add-ons.

On Mozilla Firefox:

a.       Click the Firefox menu icon and go to the Tools tab.

b.      Select Add-ons > Extensions.

A new window opens.

c.       Remove any suspicious Add-ons.

d.      Go to the Add-ons manager > Plugins.

e.      Locate and disable any malicious plugins.

On Safari:

a.       Make sure the browser is active.

b.      Click the Safari tab and select preferences.

A new window opens.

c.       Select the Extensions tab.

d.      Locate and uninstall any suspicious extensions.

Restore your internet browser to its default settings:

On Google Chrome:

a.       Click the Chrome menu icon, and select Settings.

b.      In the On startup section, click Set Pages.

c.       Delete the malicious pages from the Startup pages list.

d.      Find the Show Home button option and select Change.

e.      In the Open this page field, delete the malicious search engine page.

f.        In the Search section, select Manage search engines.

g.       Select the malicious search engine page and remove from the list.

On Internet Explorer:

a.       Select the Tools tab and then select Internet Options.

A new window opens.

b.      In the Advanced tab, select Reset.

c.       Check the Delete personal settings box.

d.      Click the Reset button.

On Mozilla Firefox:

a.       Enable the browser Menu Bar by clicking the blank space near the page tabs.

b.      Click the Help tab, and go to Troubleshooting information.

A new window opens.

c.       Select Reset Firefox.

On Safari:

a.       Select the Safari tab and then select Preferences.

A new window opens.

b.      In the Privacy tab, the Manage Website Data… button.

A new window opens.

c.       Click the Remove All button.

IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.
Huawei picks up accolades for software-defined camera ecosystem
"The company's software defined capabilities enable it to future-proof its camera ecosystem and greatly lower the total cost of ownership (TCO), as its single camera system is applicable to a variety of application use cases."
Barracuda expands MSP security offerings with RMM acquisition
Managed Workplace delivers an RMM platform with security tools and services, such as site security assessments, Office 365 account management, and integrated third-party antivirus.
Flashpoint: APAC companies must factor geopolitics in cyber strategies
The diverse geopolitical and economic interests of the states in the region play a significant role in driving and shaping cyber threat activity against entities operating in APAC.
Expert offers password tips to aid a stress-free sleep
For many cybersecurity professionals, the worries of the day often crawl into night-time routines - LogMeIn says better password practices can help.