Recently a Web-based game-streaming platform Rainway, reported that tens of thousands of Fortnite players that have infected their systems with a piece of malware that hijacks encrypted Web sessions in order to inject fraudulent ads into every website a user visits.
Rainway CEO Andrew Sampson published a blog post (linked below) in which he said that the company began receiving hundreds of thousands of error reports from its server logs last week and after investigating, the team found that the systems of their users were attempting to connect with various ad platforms.
Since Rainway system allows only whitelisted domains, users can connect only to approved URLs and every ad-related requests got blocked which in return resulted in errors that helped Rainway identify the issue..
As these errors kept flowing in, the company examined the root cause of such errors by analysing what these users had in common. According to the company, their ISPs were different, they did not share any hardware and in fact, their systems were also up to date. There was just one thing that was common – they all played Fortnite.
How were the systems infected?
It was discovered that the affected users had installed cracked versions of Fornite tools which were being advertised through Youtube videos. These tools claimed to generate free V-bucks to give those users an unfair advantage over other players.
However, in reality, these hacks installed a root certificate on the infected computers that allowed hackers modify all network traffic using a man-in-the-middle attack, even if the web session is encrypted.
The hackers leveraged the popularity of the Fortnite game to spread adware that alters the pages of a web request to serve its own ads.
According to the reports, the malware had already been downloaded 78,000 times before it was taken down.
According to Ankush Johar, Director at Infosec Ventures, gamers are often tempted to install these kinds of cheats, cracks, mods etc, however, one thing that should be kept in mind is that – Nothing comes for free. There is almost a 99% certainty that game cheats and hack tools that are available on the internet contain some sort of malware/adware that can affect user’s systems and then used to generate revenue using ads or selling data in the black market, else what’s the benefit to the crackers?
The attack methodology used here i.e. installing a root certificate is one of the most dangerous things an attacker can do. This makes the compromised machines trust the https certificates generated by hackers and show a green lock in the browser even when the certificate is not what its supposed to be. So, a hacker can, in fact, using a man in the middle attack, make users redirect to phishing look-alikes of websites they visit such as Facebook, Gmail etc and users won’t have any idea as the browser will show that the website is trusted.