The websites of several American universities spread Fortnite spam and “gift cards”.
Researchers observed that Wiki and documentation pages hosted by universities such as Stanford, MIT, Berkeley, UMass Amherst, Northeastern, Caltech, among others, were compromised.
BleepingComputer confirmed that the malicious campaign was online and targeted other school websites, including that of the University of Michigan.
Malicious campaign hacks university wikis
This week, Twitter user g0njxa identified more than a dozen subdomains belonging to prominent American universities that spread Fortnite spam.
These websites appear to be running TWiki or MediaWiki, the latter being a CMS platform that powers Wikipedia and several Wikimedia websites.
These wiki pages, allegedly uploaded by spammers, lure readers to fake sites that claim to offer “free gift cards”, “Fortnite Bucks” and cheats, among other digital artifacts.
However, these domains load fake Fortnite pages which are actually phishing forms prompting users to provide credentials:
In other cases, BleepingComputer observed, these sites promised users gift cards in exchange for fake surveys:
Europass Europass also abused
Although the malicious campaign primarily targeted academic websites built with MediaWiki, it appears that some government websites were also hit by the same threat actors.
These included mini-sites hosted by a Brazilian State Governmentas well as Europa.eu of the European Union.
More specifically, in the case of Europa.eu, it seems that spammers are abusing the Europass electronic portfolio service—a job search portal that allows future European residents to create and upload their CVs and cover letters in PDF format:
It is still unclear what exploit threat actors exploit to upload spam pages and PDF documents on websites belonging to legitimate organizations.
Last month, MediaWiki published security updates fixing several vulnerabilities in the platform, but none seem directly relevant to the ongoing malicious campaign.
BleepingComputer continues to investigate the cause of the problem.
MediaWiki and TWiki system administrators should scan their websites for spam and malicious content, especially resources containing keywords such as “gift card”, “Fortnite”, etc.
Users should refrain from clicking on suspicious links in compromised Wiki pages.
Thanks to Threat Intelligence Analyst Gi7w0rm for the tip.