Rainway CEO provides post-mortem on adware-riddled cheating program

Nearly 80,000 would-be cheaters who were looking to gain an advantage over their fellow Fortnite Battle Royale players have inadvertently infected their PCs with malware.

Since its launch in September last year, Fortnite has grown to become the world’s hottest video game, with an estimated 40 million players across PC, PlayStation, Xbox, and iOS.

Epic Games’ free-to-play title – a continuation of the hugely popular battle royale genre – sees 100 players drop in on an ever-shrinking map, collecting resources and weapons, and fighting it out to be the last person standing.

Cheat sheet

Fortnite’s popularity has been fueled by an active streaming community and celebrity-filled live events, but newcomers to the game are often disappointed at their lack of progress, as they are pitted against more experienced players.

In light of this issue (coupled with the fact that miscreants are constantly looking for ways to profit from the top stories of the day), sites such as YouTube have become awash with videos advertising ways to cheat and generate free ‘V-Bucks’ – the in-game virtual currency used to purchase cosmetic upgrades and other items.

It’s no surprise that these purported Fortnite hacks are all debunked as scams. Yet while most players are well aware of the risks associated with downloading programs housed on obscure sites, one in particular has been found to have been downloaded a whopping 78,000 times.

Make it rain

This latest piece of malware targeting Fortnite players was unveiled earlier this week by developers at Rainway, a streaming app that allows users to play PC games across different devices.

According to CEO Andrew Sampson, Rainway began receiving “hundreds of thousands” of error reports on June 26. After investigating the issue, the app’s engineers found one striking correlation: the errors were all coming from devices on which Fortnite had been played.

“Not being ones to believe in coincidence and armed with an idea, we sat out to find the possible source of this mischief,” Sampson explained.

In an effort to find the source of the malware, Rainway downloaded hundreds of Fortnite ‘cheating’ programs being advertised on YouTube, and scoured the source code for references to the URLs the company had detected through error logging.

“After hours of painstaking searching, we struck oil,” Sampson said in his post-mortem of the malware.

“We finally found a match in a hack claiming to allow players to generate free V-Bucks and use an aimbot, two birds with one stone, how could someone resist?”

The Rainway team ran the program on a virtual machine, and discovered it immediately installed a root certificate on the device before changing Windows to proxy all web traffic through itself. In other words: a man-in-the-middle attack, which was serving users with malicious advertisements.

The eye of the storm

After discovering the malware-ridden cheat program, Rainway sent an abuse report to the file host. The software has now been removed, but this was after it had been downloaded 78,000 times.

“We’ve also put out an alert to all infected users and increased our security by enabling certificate pinning, helping mitigate any future man-in-the-middle attacks,” said Sampson.

“In the future, we will alert users when we detect any foreign activity that we think could be a sign of an infection. In total, we received 381,000 reports.”

Wrapping up his post-mortem, Sampson said: “While it should go without saying, I think you should not download random programs. An excellent personal security tip is that if something is too good to be true, you’re probably going to need to reformat your PC.”

No such thing as free V-Bucks

Given its huge popularity around the world, Fortnite is a prime target for online criminals looking to leverage the brand to their advantage.

This latest scam follows reports last month that malware developers have been creating fraudulent Fortnite apps for Android devices.

And back in March we reported that hackers had been brute-forcing players’ Epic Games accounts in the hopes of gaining access to V-Bucks.

“We are aware of instances where users’ accounts have been compromised using well-known hacking techniques and are working to resolve these issues directly with those players affected,” an Epic Games spokesperson told The Daily Swig.

“Any players who believe their account has been compromised should reach out to our player support immediately.”

Following a spike in reports of attempted hacks against user accounts, Epic Games urged players to use unique passwords, be wary of websites offering free V-Bucks, and implement two-factor authentication (2FA).

“Epic continues to work with our customers who have been impacted by credential stuffing or brute force attacks,” the developer said.

“Epic has made 2FA available to protect against these attacks and therefore strongly encourages our users to enable it. Instructions can be found here.”

“We’d also like to remind players that visiting websites or clicking links claiming ‘free’ V-Bucks or in-game items is unsafe. We encourage players to guard their account information and not to trust third-party websites with their account information.”