On June 1, security firm Check Point reported that a browser hijacking operation called “Fireball” had already claimed 250 million victims. According to a Microsoft analysis published June 22, Check Point’s estimate of the number of victims was “overblown” and the attack is not nearly as widespread as initially reported.
The Fireball attack is a browser hijacking that is potentially able to download malware onto victims’ systems, as well as manipulate pageviews and redirect search requests. Check Point’s initial analysis claimed that Fireball was being bundled as part of free software downloads to unsuspecting users.
“Indeed, we have been working with Microsoft on their analysis, feeding them with some additional data,” Maya Horowitz, group manager of threat intelligence at Check Point, said in a statement sent to eWEEK. “We tried to reassess the number of infections, and from recent data we know for sure that numbers are at least 40 million, but could be much more.”
Microsoft claimed in its analysis that it has been aware of the Fireball issue since 2015. In particular, Microsoft’s analysis has found that the most prevalent malware used by Fireball are BrowserModifier:Win32/SupTab and BrowserModifier:Win32/Sasquor. According to Microsoft, its Windows users are protected from those threats by Windows Defender Antivirus and the Microsoft Malicious Software Removal Tool (MSRT).
“Check Point used a simple formula to come up with an estimate that was based on incorrect assumptions which provided an overblown number,” a Microsoft spokesperson told eWEEK. “This was confirmed in the follow-up discussions.”
Microsoft’s analysis reports that approximately 11,084,744 Fireball-related infections were detected and removed by Microsoft’s Defender and MSRT security technologies.
“Any sum of these numbers will be an estimate, however, as we can detect the malware on the same machine multiple times over multiple months,” the spokesperson stated. “The sharp and continued drop in reports from MSRT over several months indicates reinfection rates were low.”
Additionally, Microsoft claimed that Microsoft Edge browser users are not impacted at all by Fireball. Microsoft’s spokesperson said that is because the malware does not make changes that affect Edge’s settings. The spokesperson added that the impact to Microsoft’s Internet Explorer (IE) browser is extremely limited because a number of factors must be in place.
Edge is the successor to IE and has benefited from multiple security innovations. It has also benefited from the broader security researcher community that has been contributing bugs to Microsoft as part of a bug bounty program.
On June 21, Microsoft announced that since the Edge bounty effort began in August 2016 it has paid out over $200,000 in rewards to security researchers. The bounties were part of the Edge on Windows Insider Preview (WIP) bounty program that was not originally intended to be a time limited effort, but that is now changing.
“This collaboration with the research community has resulted in significant improvements in Edge security and has allowed us to offer more proactive security for our customers,” Akila Srinivasan, security program manager at the Microsoft Security Response Center, wrote in a blog post. “Keeping in line with our philosophy of protecting customers and proactively partnering with researchers, today we are changing the Edge on Windows Insider Preview (WIP) bounty program from a time bound to a sustained bounty program.”