Fireball Malware and Malvertising

A new Malvertising attack is in the news…isn’t it always?  This time (June of 2017) it infected / affected 250 million hosts.  How does it work?  It works by leveraging the online advertising mechanisms that advertise to you!  This one is “new” in that it generates revenue by fake clicks from applications stored on your PC.  Malvertising is dangerous no question about it!











* Hotdog & Not ah hotdog (credit Jian-Yang from Silicon Valley)

Thanks Google, Amazon, FaceBook, LinkedIn and all the online advertisers who have low standards and unsecured processes.  A marketing company in China named Rafotech pushed this malware out which installs some browser plugins but is supposedly also able to install whatever it wants.  I doubt this is actually true if you’re a non-privileged users like you should be…and you should be…non-privileged and special (sorry / not-sorry).  Notice the “Ad” next to the “” on the “Not ah hotdog line).  That is the MALVERTISEMENT link!  If you click on that link it doesn’t take you to in fact it takes you here:

Site:  tech-supportcenter[.]us

















This is the classic malvertisement.  It’s a fake popup that attempts to lock your browser and trick you into believing your computer is broken and that it’s Microsoft or some other reputable company although…how reputable Microsoft historically is – is up for debate…but not much…they’re kind of crooked; well…not kind of…they are (LULZ – Link1 Link2).  If you call that phone number 844-346-3716 you get some supposed tech support genius that wants to charge you $300+ dollars and a support plan.  They’re scamming you out of money and technically the tech companies are enabling them to scam you although you bare some of the burden for getting into this situation also but certainly not 100% of it!  This stuff shouldn’t be legal, not that it is; it’s just not being cracked down on because they move too fast for law enforcement and it’s usually a cross border non countryman doing it!  What’s happening at its core is this:

1 – Scammer registers a bogus fake support website, sometimes posing as Microsoft by creating that domain name like this – or  What’s this cost them?  Anywhere from $1.99 to $13 depending on the TLD (Top Level Domain like .com, .net, etc).  Those cheap prices brought to you by GoDaddy, Name Cheap, Network Solutions, etc…the list goes on, enables hacker losers the ability to buy domain names in bulk.  They’re a commodity!  I can get a lot of domains for a small amount of money.  The domain tech-supportcenter[.]us was purchased by a derpy loser in the country of Georgia, A guy by the name of Nika Grigolava (email him and tell him how much you hate hacker losers:  I created him a nice little unprotected “mailto” link so it’s scraped and put into the spammer repositories…

* Derp needs to figure out how to be a real hacker and hide himself better online (LULZ)







Well there he is, looking like a baller…hot tubbing it up with his technical support team, eating good and living large.  The guy is smart and a hard worker I’m sure…I’m maybe re-thinking joining his team now that I see what a wonderful like he’s leading although my image of a good time isn’t hanging out with 2 other dudes in a hot tub to each their own.

2 – They then host that newly registered website and create the web code that locks your browser.  They stand up toll free numbers you can call which by the way (off topic slightly), did you know that I (you, me and anyone) can find out who owns a non-toll free number, report abuse to the telecom and have it shut down HOWEVER; if someone has a toll free number all toll free numbers get registered and distributed / allocated through a SINGLE “clearinghouse”.  That clearninghouse (I forget their name I’d have to look it up) is the ONLY company that knows which toll free number belongs to which telecom…?  Because of this awesome government setup, unless you have a warrant you can NOT find out which telecom that toll free number belongs to, where it goes or anything.  The derp hackers then who are busily taking calls can not be taken down by second class citizens (aka “civilians”) like you, me or anyone who isn’t wearing a badge and pushing papers to judges for warrants.  It has to be law enforcement generated paperwork to get a toll free number taken down.  That’s awesome isn’t it?  No wonder the hackers are winning!  OK, back on topic although you can see how intertwined scamming is into non-binary hard core coding…how old are telecoms?  Old and the legacy mechanism to manage them, report abuse, etc needs to be updated slightly!  The web code is available on hacker hangouts, you change your phone numbers up, update the code, update the verbiage to scare people into calling that number and the phone will start ringing…cha ching!  I happen to know at least six or so people who have fallen for this type of scam personally.  Getting the web page together, $10 dollars (probably $0 actually).

3 – The last piece once you get your domain name ($2), your hosting ($5), your web page ($0)…we’re up to a $7 “investment here”…is to create a Google Adwords advertising camPAIN an and pick your target.  This might take a bit of time but Thanks to Google’s big brother information (aka “demographics information), you can be targeted.  Oh, you want people of a certain generation (old people, young people…not so young or old people), lets create an ad that targets people over the age of 60, in the US who make more than 50k per year AND use Windows…maybe we target people who only use Internet Explorer…or maybe Chrome…yeah, that’s the ticket.  Chrome uses have more money on average than Internet Explorer (or Edge) users.  Google will give you all that information to target your “ad” only this ad isn’t an ad…it’s a hijacked ad, fake link and it’s going to trap you.

Note:  Thanks to highly distributed networks (the cloud) this stuff can spread quickly.  Cloudfront, Google Ads, Amazon Ads, FaceBook Ads can distribute attacks like wildfire.  I hope the next Fireball version is actually called “Wildfire” and I can get some credit for the name.  😉

So then what’s a girl to do?

If you get into a situation like this first, just restart your computer – don’t pay attention to their empty threats.  Once rebooted, use a different browser (just in case) and get an malware scanner to scan your system just to be safe.  I like Microsoft’s one time use msert.exe (Microsoft Emergency Rescue Tool) or Malwarebytes.  There are a lot of them out there, neither of those is too invasive.

You can also install an ad blocker into your browser.  I personally like “ublock origin”, there are a lot of them out there BUT what I like about ublock origin which is different from the other ublocks and ad blockers is that they’re NOT in bed with Google.  Google pays “adblock” and “adblock plus” (I believe) money to “white list” their ads!  That’s a conflict of interest.  I’d rather PAY for an ad blocker than have them in bed with a malicious company like Google who doesn’t secure their ad network.  Ublock Origin is available for Chrome and FireFox.

You can also use a “security suite” for your browser if you’re hard core like “no script” which I live by.  It’s a bit of a pain to manage but once you use it for a while you build a personal white list of scrips and sites to “allow”.  A nice one-two punch of no script and ublock origin keep you quite safe online.

From a corporate perspective you NEED to use a DNSbl or DNS block list on your firewall or in your DNS servers.  Why?  Because the process by which ublock origin blocks ads can be extended to the entire network if used on your firewall instead of your individual PC’s.  The DNSbl essentially says that domain’s IP address is or or or null or whatever…but it doesn’t “resolve” to an actual public IP address, it doesn’t load the page or the piece of the website so it NEVER shows up in the browser.  That’s how it “blocks” the web content.

We typically use a combination of publicly available “secure DNS” servers who supposedly filter out malware, trojans hosters, hijacked domains, etc but we also use actual lists that have thousands of domains in it to block.  We also rely on a custom manually edited DNSbl that we create.  When we find something of interest like a tracker, ad network, etc we add it to our own list.  So security stack (“the stack”) with respect to protecting your network from malvertising is a combination of DNSbl’s and secure DNS lookups.  You can’t rely on service providers to continually protect you so you need a multitude of them including yourself…you become a member in the herd for “herd immunity”.

The DNSbl process we generally setup is like this:  Computer DNS settings > points to > Local Server > points to > Firewall that hosts the DNSbl’s (thousands of records hosted locally on the firewall) > points to Secure DNS providers <– ads, malvertising, click trackers, pixel trackers, etc…all blocked.

If you don’t have a DNSbl strategy in place you NEED ONE!

On our DNSbl, using the CheckPoint information about the compromised URL’s on cloudfont’s infrastructure we block Fireball.  Additionally, the rest of our security stack blocks it because we lock down the infrastructure to focus on business needs so the Internet you need is the Internet you get…it’s a tight ship with no leaks.


If you’re having security problems we can help!

Comments or questions are welcome.

* indicates required field

Leave a Reply

Your email address will not be published. Required fields are marked *