Home / Browsers / Fireball Browser Hijack

Fireball Browser Hijack

Forrest Stroud
Last Updated May 24, 2021 7:43 am

Fireball is a form of malware orchestrated by Rafotech, a Beijing-based digital marketing agency, that has infected up to 250 million Windows and MacOS computers, according to Check Point software.

Once it infects a computer, Fireball takes over the PC’s browsers and turns them into zombies, enabling the Fireball Browser Hijack malware to run any code on the infected computer as well as hijacking and manipulating the web traffic of the infected PC to help generate fraudulent ad revenue.

The Potential Damage Caused by the Fireball Browser Hijack Malware

Fireball will modify a user’s homepage within a web browser as well as the default search engine the browser users. It additionally prevents any attempts to change these settings back. Fireball’s fraudulent search engines also include tracking pixels that will stealthily collect data about infected users’ browsing activities and use this information for marketing purposes.

Fireball Browser Hijack

Source: Check Point Software

The Fireball Browser Hijack will install browser plugins and make changes to browser settings to help boost advertisements as well as conduct potentially more serious activities such as spying and reporting on the activity of users on infected PCs, downloading and executing additional malware on infected computers, and distributing malware to other computers.

Original Estimate of Fireball Infections Overblown?

Security firm Check Point discovered the Fireball browser hijacking operation on June 1st, 2017, and its initial analysis claimed that Fireball was being secretly installed on computers as part of free software downloads provided to unsuspecting users.

While Check Point originally estimated Fireball had infected 250 million computers, follow-up analysis from Microsoft published on June 22nd reported this estimate was “overblown,” with Fireball attacks not as widespread as initially reported, and the company also reported subsequent Fireball reinfection rates have been low.

How to Tell If Your System Has Been Infected by Fireball

To check if your system has been infected by the Fireball Browser Hijack or another form of malware, Kaspersky Security recommends checking your browser’s home page and the default search engine to see if they have been changed from their original settings.

If these settings have changed or if you’re unable to modify the settings for either your home page or default search engine, your system may be infected by malware, in which case an internet security solution will likely be needed to detect and disinfect the malware.