A Chinese digital marketing company named Rafotech is behind a new wave of inter-connected adware families that found their way onto the computers of millions of users.
According to an extensive investigation, Check Point claims Rafotech has designed a very intrusive adware that hijacks people’s browsers with the primary purpose of redirecting traffic to fake search engines.
These fake search engines do nothing more than divert search queries through Google and Yahoo’s affiliate programs, earning the Chinese company a commission.
A Growing Fireball Threat
Rafotech spreads its adware by bundling it with legitimate software, sometimes without giving users the opportunity to opt-out of the installation.
This tactic has landed various of its adware strains on the computers of over 250 million computers, according to a rough estimation from Check Point’s team.
The most affected countries are India (25.3 million infections – 10.1%), Brazil (24.1 million – 9.6%), Mexico (16.1 million – 6.4%), and Indonesia (13.1 million – 5.2%). The US is also on the list with 5.5 million infections, accounting for 2.2% of the total global infection numbers.
To make this worse experts believe the adware made its way in over 20% of all corporate networks, which means that one in five companies has a computer infected with this adware, which Check Point nicknamed Fireball.
Fireball Brings Torjan Horse Threats With It
Once this adware reachs inside corporate networks the threat often evolves and make the situation much worse.
Check Point experts reported last week in a report that Fireball contains features that allow the Chinese company to push and execute any file (malware) to the victim’s computer.
Because the adware is so intrusive at the browser level, experts fear that its maintainers would have no technical impediment from switching from a revenue model that’s based on traffic redirection and ad injection to something that involves stealing user credentials.
Fake Search Engines
If you’re wondering how come you’ve never heard of a malware family that infected over 250 million computers, the explanation resides in the fact that Check Point refers to all the adware created by Rafotech as Fireball.
Adware strains like the one Rafotech create are usually referred to by the name of the site it redirects traffic to.
Some of these fake search engines to which Fireball adware strains redirect traffic can be found in the Alexa Top 10,000 most popular sites on the Internet. Some of these fake search engines receive so much traffic that a few managed to break into the Alexa Top 1,000 site list, well above many legitimate sites. This shows the massive scale of Rafotech’s operation.
Warning Signs of Infection
If your home page has changed or if you are continually sent to a weird search engine your PC is probably infected with some sort of adware or Trojan Horse.