For the last couple of years, MMO (massively multiplayer online games) have gained immense popularity. One of the games that sit right at the top of the popularity pyramid is Fortnite. It is a Battle Royale where 100 players fight each other and, the last one standing wins. It is similar to the Hunger Games series, which requires a player to be fast and creative. While the game is free to play, players have to pay for costumes, weapons, skins of their online avatars. You can pay for these through an in-game currency called 'V-Bucks". In 2018 alone, Fortnite raked in $2.4 Billion making it the highest-earning game in a calendar year.
In this blog post, we will look at how scammers take advantage of the 'V-Bucks' frenzy and setup scam pages to lure players into revealing their sensitive information (sometimes credit card information). I will also discuss and explain in detail each stage of the scam.
Before we jump into the post, let me explain why you need to be aware of this scam. We predict the number of 'Fortnite V-Bucks' scams pages to spike up during the holiday season. Below is the monthly distribution of the scams pages flagged by CheckPhish in 2019.
Its mid-November, CheckPhish has already flagged 567 Fortnite Scam pages. This is a trend we observed for other phishing/ scam pages too.
Stage One: Setup
Attackers can set up scam pages by either creating them or buying from other scammers. Creating a scam page needs effort and domain expertise. Buying a scam page is easy and cheap. Websites like fudpage[.]ru sell phishing kits and scam pages for as low as $20.
Let us take a look at how 'Free Fortnite V-Bucks' scam pages are setup. These pages claim to hack into Fortnite's servers and add free V-Bucks to a player's account. There are a few similarities we observed across all these pages. They are:
- Recognizable - When a player lands on one of these pages, he/she can easily recognize that the page is talking about Fortnite. Scammers make these pages look similar to the official website.
- Detailed - The background image is from the game. The font and color of the text are similar to Fortnite's official website. Every minute detail was taken into consideration while creating these pages.
- Sophisticated - Most of these scam pages have a chatroom functionality available. They trick the user into believing that he/she is interacting with real players across the world. We will take a detailed look into it later in the post.
Scam Page 1: hxxp://vbucks-generator[.]xyz/
• IP Address of the scam site: 126.96.36.199 (State: Utah, Country: United States)
• We found 755 other phishing/ scam pages on this website. For more details visit CheckPhish.ai
Scam Page 2: hxxp://www[.]forvbucks[.]tk/
• IP Address of the scam site: 188.8.131.52 (California/ United States)
• We found 159 other phishing/ scam pages on this website. For more detail visit CheckPhish.ai
Scam Page 3: hxxp://yourfort[.]club/
• IP Address of the scam site: 184.108.40.206 (Amsterdam/ Netherlands)
• We found 16 other phishing/ scam pages on this website. For more detail visit CheckPhish.ai
We will take a detailed look at what happens on each page later in Stage Three: Collect.
Stage Two: Propagate
Once these scam pages are set up, the next step is to propagate them. The most common means of spreading the word is through social media channels like twitter, facebook, instagram, steam, pinterest and youtube. In this section, we will look into how each of these platforms is used to distribute the scam pages.
A quick search for 'free vbucks Fortnite generator twitter' on google yields the following results.
Clicking on the second link led me to a series of tweets. I’ve posted the most interesting ones. Please be aware that these scam websites are still live. Do not enter your personal information on these pages. If you are interested to see more of these, try the google search and follow the breadcrumbs.
A quick search for 'free vbucks Fortnite generator facebook’ on google yields the following results.
Clicking on these links led me to several facebook pages promoting this scam. Below are screenshots of some of the most interesting pages. Again, do not enter your personal information on these pages. If you are interested to see more of these, try the google search and follow the breadcrumbs.
And, here are screenshots from other social media platforms like Youtube, Steam, Pinterest and Instagram.
Stage Three: Collect
In this section, we take a deep dive into one of the scam pages. We will inspect each element of a 'Free V-Bucks Generator' page and understand how a scammer tricks a user into believing that the page is authentic. Let us take a look at hxxp://vbucks-generator[.]xyz/ (Scam page 1 in Setup).
We will enter a random string into the 'username' field, select 'PS4' and request for a 1,000,000 V-Bucks. Below is a short video explaining what happens once you click on the 'Generate' button after selecting these options.
The web page throws a few tech terms at the user before redirecting him/ her to a survey page. Let us inspect the page source to see what's happening. I downloaded the page and searched for 'V-Bucks Injected Successfully’ in the HTML.
These are basic ‘print statements’ in HTML. The code does not communicate with Fortnite’s servers. It has been designed in a way to trick the users into believing that V-Bucks have been added to their Fortnite accounts.
Some of these pages include a chatroom to make them look real. Below is a short video showing how this functionality tricks players into believing the page is authentic and is being used by others. Webpage: hxxp://ecodes[.]me/fortnite-free-vbucks/
After entering the chatroom multiple times, I observed that the comments were being recycled. Same comments started appearing over and over. So, I decided to take a look at the HTML code. And, this is what I found.
The first screenshot has a list of all usernames and the second one has a list of messages that will be displayed in the chatroom. The code randomly picks and displays them in the chatroom. When you enter a username, the program starts tagging you on some of these messages. For someone who does not take a look at the HTML code, it might seem like they are interacting with real humans. These functionalities come with a lot of variations. Some of them display a fake Facebook comment section while others show random reviews from users that do not exist.
After this, the user is redirected to a manual verification page. Here, they are asked to fill multiple surveys to access the V-Bucks in your account. These surveys ask for your personal information including your phone number and physical address. Let us take a look at data is collected by clicking on a from webpage hxxps://fortnitevbucksgen[.]xyz/
Ever received a call from a customer agent who claims that you have been selected for a free cruise trip? The data from survey pages is sold to such companies.
In this blog post, we looked at the 'Fortnite V-Bucks' scams in detail. We looked into how these pages are set up and their distribution through social media channels. We also tried to understand how the scammers add sophisticated features like chatrooms to trick users.
We suggest you to be the lookout for such scam messages and links. If you find a suspicious URL, you should scan it through on CheckPhish before accessing it. If you like the post, send it to your friends to keep them safe these online scammers.