Fraudsters have long recognized that Fortnite is a virtual island of opportunities. Making (criminal) money out of Fortnite is as easy as taking a lollypop from a child, because, well, many of the 78 million active gamers ARE pretty young. And not that folks the age of World Cup footballers are any less likely to fall for the myriad of Fortnite scams running wild these days. Trust me – those criminals are quite good. The game, whose developers already raked over a billion dollars this year, has certainly attracted a lot of cybercrime attention.
So – why don’t we take a look at some of the latest and greatest Fortnite cyber attacks?
In March this year, many Fortnite players realized their account has been compromised, and unauthorised charges amounting to hundreds of dollars have been made on their Epic Games accounts. Someone was playing using their credentials in areas of the game they haven’t purchased, or with battle passes they haven’t bought.
The trick is simple: first, compromise the user’s credentials through phishing, vishing (voice based phishing), or malware. Then, access the account from a new device, download the game, and use the payment mechanisms stored in the account to purchase additional virtual goods. Finally, sell the credentials in an auction site, claiming you’re the legit owner, you’ve got the most advanced gear and plenty of V-Bucks credit, but you’re no longer interested in the game – so the buyer can just go ahead, purchase the credentials, change the password if they really feel like it (most of them won’t), and have fun.
It should be noted that the game developers may soon – if they haven’t already – use device binding to make sure only trusted devices can be used to order new V-Bucks or battle passes. But as the financial industry knows, trusted devices are… well… not to be THAT trusted.
And the same applies to two-factor authentication. In the UK, the entire banking market moved to 2-factor authentication ten years ago, and fraud levels still increase each year as a combination of malware, remote access and social engineering is being used to trick users to provide the 2-factor authentication code. And, about 80% of fraud is coming from trusted devices. So while it may help in the short term, protecting such a lucrative target will certainly take more than that.
A much more basic attack on young children is a youtube clip showing how you can ‘make a lot of V-Bucks’. Kids may barge into your kitchen with super excited expressions on their little facing telling you they just uncovered this amazing clip allowing them to do just that. Those lead to fake sites asking for credentials, game verification codes, or just ads. There are also V-Bucks Generator sites, fake domains resembling the original developers’ sites, and social media campaigns leading to those bogus resources.
Before Fortnite was made available on iPhone, plenty of rogue apps pretending to be free v bucks generator no human verification popped up in the app store. Those normally have malicious capabilities, and some of them contain remote access features that allow taking over the user’s mobile device. The same thing also happened before the game was published on Android; Zscaer researchers found that one of the fake ups had over 4000 five star recommendations, making it a highly popular download. A good analysis of how rogue apps trick users can be found in Sophos’ Naked Security blog here.