University websites using MediaWiki, TWiki hacked to serve Fortnite spam


Websites of multiple U.S. universities are serving Fortnite and ‘gift card’ spam.

Researchers observed Wiki and documentation pages being hosted by universities including Stanford, MIT, Berkeley, UMass Amherst, Northeastern, Caltech, among others, were compromised.

BleepingComputer confirmed the malicious campaign was live, and had targeted additional scholastic websites including that of the University of Michigan.

Malicious campaign hacks university wiki sites

This week, Twitter user g0njxa identified over a dozen sub-domains belonging to prominent U.S. universities that are serving Fortnite spam.

These websites appear to be running either TWiki or MediaWiki—the latter being a CMS platform that powers Wikipedia and multiple Wikimedia websites.

Stanford Wiki site serving spam
Stanford ‘Protege’ project’s wiki site serving Fortnite spam (BleepingComputer)

These wiki pages, purportedly uploaded by spammers, lure readers into visiting bogus sites that claim to be offering ‘free gift card,’ ‘Fortnite Bucks,’ and cheats, among other digital artifacts.

These domains, however, load fake Fortnite pages that are effectively phishing forms prompting users for credentials: 

Fortnite spam domain
Homepage of a Fortnite spam domain asks for ‘username’ (BleepingComputer)

In other cases, BleepingComputer observed, these sites promised users gift cards in exchange for completing bogus surveys: 

bogus survey sites
Destination page asks users to complete ‘surveys’ and earn gift cards (BleepingComputer) 

Europa’s Europass also abused

Although the malicious campaign has primarily targeted university websites built with MediaWiki, it seems some government websites were also hit by same threat actors.

These included mini-sites hosted by a Brazilian state government, as well as European Union’s Europa.eu.

Specifically, in Europa.eu’s case, it appears spammers are abusing the Europass e-Portfolio service—a job search portal that enables prospective European residents to create and upload their CVs and cover letters as PDFs:

Europa.eu Europass website serving Fortnite spam in PDF
Europa.eu Europass website serving Fortnite spam in PDF

It remains unclear what exploit are threat actors leveraging to upload spam pages and PDF documents to websites belonging to legitimate organizations.

Last month, MediaWiki released security updates fixing multiple vulnerabilities in the platform but none seem directly relevant to the ongoing malicious campaign.

BleepingComputer is continuing to investigate the cause of the issue.

MediaWiki and TWiki sysadmins should sweep their websites for spam and malicious content, especially resources containing keywords like ‘gift card,’ ‘Fortnite,’ etc. 

Users should refrain from clicking suspicious links within the compromised Wiki pages.

We thank threat intelligence analyst Gi7w0rm for the tip off. 





Source link