Security researchers have found multiple US university websites, including MIT, Stanford, Amherst and Caltech among others to be serving Fortnite and gift card spam. The targeted sites were running on either TWiki or MediaWiki, both being Wiki applications that are used to run collaboration platforms, knowledge or document management systems, knowledge bases or team portals. The former also powers Wikipedia and multiple Wikimedia websites.
The campaign was first spotted by Twitter user gonjxa who spotted over a dozen university sub-domains running the spam and was later confirmed by BleepingComputer. The fake wiki pages are likely uploaded by the spammers and lure readers into visiting fake websites that claim to offer free gift cards and Fortnite V-Bucks among other items such as cheats and digital collectables.Â
The sites go a step further and also act as phishing pages that can steal a visitor’s Fortnite login credentials by presenting a fake login form. Where Fortnite isn’t involved, the sites claim to offer free gift cards for Roblox, Google Play, PlayStation, Xbox, Amazon, iTunes, Nintendo Switch and Best Buy among other services in exchange for completing surveys.
As for the campaign itself, it extends beyond university websites based on the aforementioned platforms and also targets some government websites, including mini-websites hosted by the Brazilian state government as well as the EU’s europa.eu domain. In the former’s case, the spammers appear to be targeting the Europass e-Portfolio service. The e-Portfolio service allows European residents to create and upload CVs and cover letters in PDF format.
The identity of the threat actors and the exploit they’re using is unknown at the time of writing. MediaWiki released security updates in March fixing multiple vulnerabilities in their platform. However, either the affected sites weren’t patched or the particular exploit being abused wasn’t on the MediaWiki team’s radar.
In the meantime, system admins of the affected sites are advised to sweep their websites for spam and malicious content, especially with resources or assets containing keywords like “gift card”, ‘Fortnite’ and their likes. Users are also advised to pay attention to any pages they come across on the impacted sites and not to visit any such websites.
In the News: Misconfigured ICICI Bank cloud storage leaked 3.6 million records