FORTNITE SCAMS ARE EVEN WORSE THAN YOU THOUGHT
Fortnite opportunists have plagued the internet since the game’s launch; WIRED has previously looked at the scourge of fake app downloads connected to the game’s controversial Android launch. But a new report from security firm ZeroFox lays bare just how broadly these scams have proliferated across social media, YouTube, and thousands of domains.
“Once we started digging into it, we uncovered a lot of stuff,” says Zack Allen, director of threat operations at ZeroFox.
By the numbers, that “stuff” comprises over 4,770 live domains dedicated to Fortnite scams; 1,390 YouTube videos advertising malicious links with combined views in the millions; and hundreds of links on social media every day that lead to fraudulent destinations.
“The biggest thing that surprised us was the professionalism that went into some of these websites, where they would design some of these V-Bucks sites with a lot of skill,” says Allen. “They made it look really legitimate, they had awesome user experiences, and as you go deep into those things, they made it really hard for people to differentiate between what was legitimate and what was not.”
The sites generally encourage visitors to click ads in order to unlock V-cash, which never materializes. Some of them deploy clever tricks, too, to appear not just valid but active, with fake messages from pretend Fortnite fans appearing onscreen or fake comment sections full of phony satisfied customers.
The domains also often had security certificates issued by Let’s Encrypt, which simply means that they provide encrypted connections. It’s a popular technique among scammers, because it makes any site appear safe, regardless of its actual intentions. “The issue here is not that phishing sites have certificates and use HTTPS,” says Let’s Encrypt head Josh Aas. “All websites, including phishing sites, should use HTTPS. The issue is that lock icons in browsers are misleading. Some people incorrectly interpret lock icons as a sign that a site’s content is safe or trustworthy, and that’s a completely separate issue from whether or not the connection is secure. “
The Fortnite scams ZeroFox tracked also stand out for their coordinated approach. “The more interesting ones that we found redirected from one social network to another. We’ve seen a lot of videos that would be linked from a post on Facebook, going to a video on YouTube, which then would link to a phishing or a scam domain,” says Allen. “It’s like they tried to connect a lot of these things to provide more of a sense of legitimacy to the victims. It builds trust.”
And while Fortnite scams have spread steadily for months, they lately seem to come in waves, says Ben Herzberg, head of threat research for security firm Imperva, which has also tracked these campaigns. That includes a recent surge around Labor Day and another at the end of last week. The platforms are generally responsive when alerted to these threats, but don’t expect them to disappear anytime soon. The domains are too hard to shut down, and the racket is too lucrative. In July, Imperva suggested that Fortnite scammers are on track to collectively haul in over a million dollars in 2018.
“Basically, cybercriminals are always trying to make money,” says Herzberg. “It just works so well, why stop?”
As for protecting yourself, common sense seems to be the best antidote. The only way to get V-Bucks is within Fortniteitself. There are no shortcuts, no Epic Games-approved sites that will dispense them to you, especially not for clicking on junk ads.
Until people learn that lesson, though, Fortnite scams will continue to flood the web, and Fortnite scammers will continue to collect junk ad money and personal data from their victims. “When you put your address in a random form, when they know your age, etc., you don’t know where that will lead. It could have just been five minutes wasted on filling out a form, but it could be leading to worse,” says Herzberg. “Until Elon Musk buys Fortnite and cancels it.”