When something seems too good to be true, it probably is. It’s a hard lesson to learn and, in this case, one that’s being taught by scammers. The perpetrators are abusing the fact that online players of Battle Royale games may be very eager to get free in-game currency and items, and are willing to go to pretty risky lengths to get hold of them.
We found that campaigns specifically targeting Fortnite gamers are advanced in both their ‘marketing appeal’ and their user interface and are on the rise… in line with Fortnite’s growing popularity. Scammers are tempting gamers by promising in-game currency (Fortnite V-Bucks) ‘for free’ when, in reality, the gamers aren’t getting anything; while the scammers are making bank by misleading gamers into action-oriented advertisements like signing up for services or installing additional software.
Scammers are eager to get money from unsuspecting gamers. This is nothing new and has happened in the past with gaming hits like the popular MMORPG WoW (World Of Warcraft), where scammers were making money by selling accounts and artifacts; CS: GO (Counter-Strike: Global Offensive) where scammers were and still are selling skins, and many more. In the last few months, we’ve seen a lot of criminal activities aimed at Battle Royale gamers, who’ve spent more than $1 billion through in-game purchases, as these types of games continue to grow in popularity.
What are Battle Royale games?
In case you just woke up from a coma and have never heard of the Battle Royale genre; they’re incredibly popular online survival games (mostly first-person shooters), where you get dropped into an open-world map, and in order to survive you have to scavenge for weapons and ammo and kill everybody else. Well, that’s the short description anyway.
The longer version, according to Wikipedia is:
A Battle Royale game, also spelled battle royal, is a video game genre that blends the survival, exploration and scavenging elements of a survival game with last-man-standing gameplay. Battle Royale games challenge a large number of players, starting with minimal equipment, to search for weapons and armor and eliminate all other opponents while avoiding being trapped outside of a shrinking “safe area”, with the winner being the last competitor in the game. The name for the genre is taken from the 2000 Japanese film Battle Royale, which presents a similar theme of a last-man-standing competition in a shrinking play zone.
So, who’s at risk?
Ideal targets for these types of scams include players of ‘freemium’ games, where you can play for free, but some premium additions (such as virtual money or skins) can be bought with real-world currency. Everyone wants the premium kit, but no one wants to pay for it.
We focused our research on Fortnite scams, since this game is hugely popular in the freemium game category, especially among teenagers. This demographic makes for a soft target, given that young people are often constrained financially on account of being, well… young.
How does the campaign work?
The scam’s aim is to lead users to V-Bucks generators — a utility that supposedly creates free V-Bucks from thin air — and eventually trick them into clicking on ads. In order to hide their intentions and prevent site owners from deleting the spam they post, attackers use a variety of obfuscation methods. Many of the URLs linking to the scam contain URL redirections which make it look as if the URL leads to a legitimate well-known site, and the pages that advertise the generator are hosted on innocent online services.
The generator’s landing page is usually pretty well-designed, filled with images and animations making it look legit. After all, who’d take the time to build a beautiful generator that doesn’t work? The generator usually prompts for a username and then asks how many V-Bucks you would like to get for free. Then, a small terminal appears on screen, streaming commands that imitate hacking into the Fortnite Database and adding V-Bucks to your user.
After a handful of commands, all of which execute successfully, an error occurs, and human verification is needed to solve it.
Attempting to verify will lead you to a survey site with a survey pool. These surveys are basically ads — some of them lead to legitimate businesses and others lead to scam sites — but none of them can be completed in any way, and your Fortnite user won’t get any richer.
Show me the money!
Pay Per Click Advertising is an advertising model in which an advertiser pays a site owner for each ad click. The entire scam revolves around leading users to the survey pools, promising free V-Bucks to motivate them to click on all the ads, and with each click, the site owner receives a payment. Basing our calculations on a few hit sites, we estimate that one group of attackers has made over $93,000 in the last month from this scam alone, according to data taken from SimilarWeb.
For gamers: if someone offers you in-game currency for free, chances are it’s a trap. Just don’t go there. In this case, the ‘damage’ varies between simply wasting your time clicking, to falling into a more serious trap that may harm your computer.
For site owners: make sure you’re protected against application attacks, including comment spams and other bot attacks.
*** This is a Security Bloggers Network syndicated blog from Blog | Imperva authored by Johnathan Azaria. Read the original post at: https://www.imperva.com/blog/2018/07/fortnite-scammers-approaching-1m-in-annual-takings/