Tens of thousands of Fortnite players have been infected by malware that hijacks encrypted Web sessions so it can inject fraudulent ads into every website a user visits, an executive with a game-streaming service said Monday.
“As the errors kept flowing in, we took a glance at what these users had in common,” Sampson wrote. “They didn’t share any hardware, their ISPs were different, and all of their systems were up to date. However, one thing did stand out—they played Fortnite.”
Root certificate installed
Suspecting the malware was spread by one of the countless Fortnite cheating hacks available online that promise to give users an unfair advantage over other players, Rainway researchers downloaded hundreds of the hacks and scoured them for references to the rogue URLs. The researchers eventually found one Sampson declined to name that promised to allow users to generate free in-game currency called V-Bucks. It also promised users access to an “aimbot,” which automatically aims the character’s gun at opponents without any need for precision by the player. When the researchers ran the app in a virtual machine, they discovered that it installed a self-signed root certificate that could perform a man-in-the-middle attack on every encrypted website the user visited.
Sampson wrote: “Now, the adware began altering the pages of all Web requests to add in tags for Adtelligent and voila, we’ve found the source of the problem—now what?”
Rainway researchers reported the rogue malware to the unnamed service provider that hosted it. The service provider removed the malware and reported that it had been downloaded 78,000 times. In all, the malware generated 381,000 errors in Rainway’s logs. The researchers also reported the abuse to Adtelligent and Springserve. Adtelligent, Sampson said, didn’t respond, but Springserve helped to identify the abusive ads and remove them from its platform. Adtelligent officials didn’t immediately respond to a message seeking comment for this post. Officials from Epic Games, the maker Fortnite, declined to comment.
Sampson also said that Rainway implemented a defense known as certificate pinning. Certificate pinning binds a specific certificate to a given domain name in order to prevent browsers from trusting fraudulent TLS certificates that are self-signed by an attacker or misissued by a browser-trusted authority. While the adoption of certificate pinning is a good defense-in-depth move, it unfortunately would do nothing to protect users against root certificates installed to perform man-in-the-middle attacks, as Google researchers have warned for years. That means the malware has the ability to read, intercept, or tamper with the traffic of any HTTPS-protected site on the Internet.
The rash of infections is the latest cautionary tale about the risks of installing shady software provided by unknown sources. People who suspect they have been infected should install antivirus protection from a name-brand provider and thoroughly scan their systems ASAP.