Scammers adapt quickly to new trends, exploiting them to lure new victims. An example that has gained notoriety in recent weeks: web sites promoting fraudulent Fortnite offers. Fortnite is a popular video game and is being used by cybercriminals as an enticement to misappropriate user data.
Companies generally seek data that can help them design new products or tailor their marketing campaigns. Cybercriminals also have their ways of collecting data, but it is used to help them design more successful attack vectors (the path or means hackers use to gain access to a computer or network) so they can purloin addresses where they can contact users directly.
How do cybercriminals pull it off?
One tactic consists of sending fraudulent offers for popular products in viral messages that are sent over instant messaging applications. The current scam works by offering free battle passes and gifting V-Bucks, the Fortnite in-game currency.
Once the user clicks the link, the browser opens a web page that contains a questionnaire to be filled out before any “prize” is sent.
Once all the questions have been answered, the responses are processed, and the user is congratulated for having won the prize. However, when the button to claim the prize is clicked, a notification is displayed indicating that the survey must be shared with at least ten of the user's WhatsApp contacts. Unfortunately, the user never receives the promised prize, regardless of how many times he or she shares the offer.
What’s the problem? I haven’t answered any personal questions
On the face of it, it might appear that we have only been victims of a loss of time, because we haven’t provided any personal information (or received the prize). However, this isn't the case. From the moment participants click on the link, they have been delivering data about their IP address (the Internet address or the wifi network being used) and the device that has been used to complete the form, among other data points.
In this specific scam, the web page is a blog created by Google’s Blogger platform, which uses various cookies, meaning small browser files with session or browsing data and and interactions that can be integrated with Google Analytics. Because it is a web browser, it can potentially log the connection's IP address.
In the event that the same Google user tries to “claim the prize” using his/her other devices, he or she will be revealing data about the other devices that belong to the same user.
These tactics are commonplace in the world of advertising and there are various tools that can be used to achieve the same end; the problem in this case is that it uses fake enticements and non-original domains, so this data is being delivered to an imposter. As a general rule, these cybercriminals use the data in order to learn which devices and IP addresses people use, allowing it to subsequently launch technical attacks that permit the exploitation of vulnerabilities in devices with out-of-date software versions.
How can these attacks be spotted?
Cybercriminals view this activity as an investment; so they are increasingly more careful in their approach, and the pages they use are becoming more and more more-official looking. Nonetheless, they can be identified with some simple checks that require neither much time nor knowledge.
- Be wary of links that offer too-good-to-be-true offers or viral messages.
- Verify the authenticity of links (and their domains). In this example, you can see there is no match:
- The link in the message. It is a shortened address: http://fornitebucks.dhsurl.com (domain dhsurl.com)
- URL of the link. It’s an external blog: https://fortnitefreevbucksd.blogspot.com (domain blogspot.com)
- The official Fortnite website can be easily found in any standard browser: https://epicgames.com/fortnite/es-ES/home (domain epicgames.com)
- If by some chance you access the site, you may come across a comments and ratings page that imitates Facebook but is fake. In more professional-looking cases, this page would be built within the blog itself but would not have links or let you add comments, but in many cases, the comments field is just an image.
How can you stay safe?
As we have seen, this type of attack seeks to collect data and largely does so by using cookies that supply data when a link is merely clicked on. This is why we should:
- Repeat the mantra that not everything on the Internet is what it seems to be. Avoid clicking on links that you have not verified.
- Have updated antivirus software installed and active on all devices: computers, tablets, and phones.
- Periodically delete cookies and search histories on your devices.
- Get into the habit of regularly changing your passwords to the Internet based services you use and on your Internet-connected devices, including IoT (Internet of things) devices.
Stay alert for possible scams and don’t share them with your acquaintances. Remember: You are the best defense!