Over 250 million computer users all around the world have been infected with Fireball malware. It’s a complicated adware program that hijacks web browsers and forces people to use fake search engines, such as Launchpage.org, Trotux, Yessearches, Hohosearch, Startpageing123, and Luckysearch123. Behind this cyber threat hides Chinese company Rafotech that represents themselves as a digital marketing agency. Ironically, on the official website, it is stated that they can reach 300 million users worldwide. Indeed, the size of the potential customer’s audience is similar to the number of infected devices. Undoubtedly, the main purpose of this cyber threat is to generate advertising-based revenue. Thus, Fireball works as a browser hijacker that redirects search queries either to Yahoo or Google services in order to participate in their affiliate programs. But researchers found out an even bigger issue of this malicious program. Its functionality allows tracking private information, installing and executing malware, and making the affected system vulnerable.
Discovered by security company Check Point, this cyber threat might be the biggest infection in the history. The research revealed that the majority of infected devices were located in India (10.1%), Brazil (9.6%), Mexico (6.4%) and Indonesia (5.2%). However, Fireball’s target field was not limited to home computers only. Rafotech also infected 20% of corporate networks too. The most damage it caused of Indonesia (60%), India (43%), and Brazil (38%). Meanwhile, the situation in the United States is not as dramatic as in these countries. Malware affected only 2.2% home computers and 10.7% of corporate networks. It seems that all these machines were infected when users installed freeware, shareware or other Rafotech products. The Chinese company employs a popular potentially unwanted and malicious programs' distribution method – bundling. Researchers found out that malware might spread via Deal WiFi and Mustang browser that are developed by the same company, as well as other free programs that users can download from various online sources.
The main primary function of the hijacker is to take over the affected browsers and generate revenue from the online advertising. However, the research has revealed another concerning feature. This malicious program is designed to install additional malware on the affected device. Currently, it does not distribute or install any dangerous files. However, the situation might change any minute. That’s why it’s important to get rid of suspicious search engines and browser’s start-up pages immediately. Indeed, some of the bogus search engines might trick users that they are legitimate. Alexa web traffic shows that even 14 fake search engines promoted by Rafotech made to the list of top 10,000 websites, but that’s not all. Few of these tools managed to make to the list of the top 1,000 sites. Thus, it only proves that “digital marketing agency” created a sophisticated and tricky cyber infection.