Websites of multiple U.S. universities are serving Fortnite and ‘gift card’ spam.
Researchers observed Wiki and documentation pages being hosted by universities including Stanford, MIT, Berkeley, UMass Amherst, Northeastern, Caltech, among others, were compromised.
BleepingComputer confirmed the malicious campaign was live, and had targeted additional scholastic websites including that of the University of Michigan.
Malicious campaign hacks university wiki sites
This week, Twitter user g0njxa identified over a dozen sub-domains belonging to prominent U.S. universities that are serving Fortnite spam.
These websites appear to be running either TWiki or MediaWiki—the latter being a CMS platform that powers Wikipedia and multiple Wikimedia websites.
These wiki pages, purportedly uploaded by spammers, lure readers into visiting bogus sites that claim to be offering ‘free gift card,’ ‘Fortnite Bucks,’ and cheats, among other digital artifacts.
These domains, however, load fake Fortnite pages that are effectively phishing forms prompting users for credentials:
In other cases, BleepingComputer observed, these sites promised users gift cards in exchange for completing bogus surveys:
Europa’s Europass also abused
Although the malicious campaign has primarily targeted university websites built with MediaWiki, it seems some government websites were also hit by same threat actors.
These included mini-sites hosted by a Brazilian state government, as well as European Union’s Europa.eu.
Specifically, in Europa.eu’s case, it appears spammers are abusing the Europass e-Portfolio service—a job search portal that enables prospective European residents to create and upload their CVs and cover letters as PDFs:
It remains unclear what exploit are threat actors leveraging to upload spam pages and PDF documents to websites belonging to legitimate organizations.
Last month, MediaWiki released security updates fixing multiple vulnerabilities in the platform but none seem directly relevant to the ongoing malicious campaign.
BleepingComputer is continuing to investigate the cause of the issue.
MediaWiki and TWiki sysadmins should sweep their websites for spam and malicious content, especially resources containing keywords like ‘gift card,’ ‘Fortnite,’ etc.
Users should refrain from clicking suspicious links within the compromised Wiki pages.
We thank threat intelligence analyst Gi7w0rm for the tip off.