Support 416-591-6711 option 1 or Email Us

It’s all Fun and Games Until Someone Gets Hacked - Fortnite Hacking, Phishing and more

Mon, 15 Jul 2019

A dirty little secret got released recently about the online gaming world. Fortnite, the most popular online game in 2018, entertaining more than 3.4 million players across its various platforms, had a big security flaw. Of course, Epic Games, a company that brought in somewhere around $3 billion in profits last year, has a large cyber-target on its back. With many users and major earnings, comes lots of sensitive data and potential money to be stolen.

It’s all Fun and Games Until Someone Gets Hacked

A crack in Fortnite’s armor

The security firm, Check Point Software, discovered the defect in Fortnite’s defenses. The potential security flaw occurred when players accessed their Fortnite accounts using 3rd party login services, like Facebook. When you access Fortnite through Facebook, your computer gets a security token that you use to access your Fortnite account after a redirection via a website link. It was actually the proverbial “weak link” that was the problem. The malleable link was corrupted so that people weren’t directed to their Fortnite accounts, but instead to older Epic Games’ websites, or subdomains – in this case, an old webpage from 2004. The old subdomains were flawed and could also be tampered with, allowing hackers to obtain user's login security tokens. Hackers could then use the acquired security tokens to access gamer’s accounts. 

Once gamer accounts were accessed sensitive data could be obtained, settings could be changed, and a phishing attempt could be launched. The phishing scheme mimicked an Epic Games’ message. It would be sent to the targeted gamers who, scammed into thinking it was a legitimate message from Epic Games, would click on the tampered link. Once the link was clicked on, hackers could access their accounts even without login credentials. This weakness permitted cybercriminals to take over Fortnite accounts. Once in, they could make purchases with the game's virtual currency (V-Bucks).

What we don’t know will hurt us

The scary part is that this flaw came to the attention of Epic Games in November of 2018 and they fixed the flaw in December, yet the game-playing public, those left vulnerable, are just hearing about it now. Oded Vanunu, Check Point’s head of products and vulnerability research, explained that these sorts of cybersecurity vulnerabilities are growing more common as apps become more multifaceted. The problem isn’t with the new apps, but that they are built across multiple software services that can be connected to older infrastructure that may be flawed, or their security measures outdated. Inadvertent connections to old and forgotten websites are especially common with the rate of technological development occurring. Corporations, especially gaming companies, want to ride the wave of hype and trend because that's where the money is. However, this speed of release, especially across platforms, can mean that necessary security measures are unintentionally overlooked.  "This is why we see so many big leaks of millions of records," Vanunu said.[i]

Game developers, hustling to get new games on the market, often release them on the first platform that is ready. If that is iOS, then Android users feel left behind, and their anticipation gets amped up. While this anticipation may be great for creating marketing hype, it's not so good for cybersecurity. Some young and naïve gamers, who want to keep up with their peers, will download pre-release hacked versions of the popular games. Instead of getting in the game, they get caught in a trap.

This happened when Fortnite was released on what seemed like every platform except for Android. Android users, feeling left out, went online to search out an early cracked version of the game. They found it too. Except that the links to promised gameplay actually just linked to malware that when installed made money for the virus creators. This initial frantic search for early game versions is called the first attack vector[ii] and is used by hackers against mobile gamers. The malware that gets installed can lead to cryptomining, phishing, and identity theft.

Making bank, not just V-Bucks

In December, the BBC reported that teen hackers, some as young as fourteen, are making thousands of pounds a week by stealing private gaming accounts and reselling them online in a sort of Fortnite black market. While Fortnite is free to play, gamers can buy skins that change the look of characters, as well as purchasing other add-ons. 

One 14-year old victim-turned-hacker told the BBC that he’d spent around £50 to build up his own collection of skins before he received an email. He said, "The email said that my password had been changed and two-factor authentication had been added by someone else. It felt horrible.”[iii] The two-factor authentication meant that he could only access his game account by entering a specific code which was now sent to an email address or app registered to the hacker. There was nothing he could do. 

He took to Twitter to vent and through that got lured into the world of Fortnite cracking. He’s bought himself some new games and a bicycle with his newfound criminal-earnings. Some hackers make substantially more, like a 17-year-old from Slovenia, with his own sales website, who admits to making £16,000 in the seven months that he’s been cracking Fortnite. He even had the Paypal accounts to prove his monetary claims. He’s saving for a new car.

Epic Games was made aware of this hacking culture in March of 2018. They responded by saying they’d look into the problem. Hackers admit that when gamers add two-factor authentication to their accounts, it makes their job far more difficult. While not mandatory, Epic Games rewards users who use two-factor authentication with in-game accessories. It’s a win-win situation – rewards for you and headaches for hackers.

Protecting the young and less informed

Unlike Trix, online games aren’t just for kids. A 2018 survey of gamers in the US showed that only 28% of video game players are under 18.[iv] That’s right, 72% of US gamers are adults. But, it’s the younger generation, the less informed and less patient, that are more easily targeted by cybercriminals.

McAfee conducted a survey[v] in 2018 about children and online gaming. The survey found that 62% of children play games where they speak to other people. With this ability to talk to other game players comes a vulnerability – just who are they talking to? 75% of parents who responded to McAfee's survey were most worried that this unknown person may be a sexual predator, 61% worried it was a bully, and 60% worried it was a cybercriminal attempting to steal personal or financial information. Despite this unease, 44% of parents were still allowing their child to play a game that they were too young for according to the game’s rating. 

While their kids are busy playing the game, 62% of parents who responded were concerned about cybercriminals disguising themselves as another kid to steal sensitive information, 58% were worried their child may inadvertently download malware by clicking on a bad link, and 52% fretted about cybercriminals hacking user accounts to access financial information. They have a right to be scared – and the 40ish percent of those not worried, need to be.  

Play on, playa

The reality is that you have to protect yourself against Cybersecurity threats. 

Here are seven tips for how to protect yourself (and your kids) while getting your game on:

1.      Only download apps from your official App Store.

2.      Be patient. Wait until a game is formally launched.

3.      Browse with protection. Have a security feature installed on your computer and across all connected devices.

4.      Use parental control software. Ensure your kids can’t access what they shouldn’t be, set usage and exposure limits.

5.      Use caution when you click! Look for reliable sources.

6.      Use different (complex) passwords on each game site. 

7.      Use two-factor authentication for accounts whenever they are available.

Get a level-up on cybercriminals. Reduce your IT security risk and find a security solution that protects you.


‹ Back