Fortnite is the most popular game right now; it’s a genuine cultural phenomenon that is sweeping the world. Sadly, where there is a popular channel there will always be malicious actors. Today we want to diverge from our usual tech and vision blogs and share with you a journey of something surreal.

On the early morning of June 26th, we began receiving hundreds of thousands of error reports to our tracker. Not feeling very excited to see such an influx of events on a Tuesday the engineering team was a bit flustered, after all, we hadn’t released any updates to that particular piece of our solution.

It became pretty clear soon after that this new flood of errors was not caused by something we did, but by something someone was trying to do.

Well… That’s peculiar

These are attempts to call various ad platforms; the first thing we should note is Rainway does not have ads on it which was an immediate red flag. The first URL, in particular, is JavaScript which is attempting to act and running into an error, triggering our logging. For security and privacy reasons we’ve always whitelisted URLs and the scope of what they can do from within Rainway — it seems now it has the unintended side effect of shining a light on a much broader issue.

We ruled out immediately that we had been compromised in some way and began to see malicious adware was attacking these users. Usually, we’d brush this off, one user being infected isn’t all that surprising, but user after user we saw a trend happening, and we could only ask, what was the source?

As the errors kept flowing in we took a glance at what these users had in common; they didn’t share any hardware, their ISP’s were different, and all of their systems were up to date. However, one thing did stand out — they played Fortnite.

This isn’t all that surprising, as mentioned Fortnite is one of the most popular games not just in the world, but also on Rainway itself, clocking in tens of thousands of hours. Not being ones to believe in coincidence and armed with an idea, we sat out to find the possible source of this mischief.

Heading over to YouTube and searching for Fortnite hacks, you’ll find hundreds of videos advertising ways to cheat and generate free in-game currency.

This isn’t all that uncommon, and you can find similar videos for almost every popular game; however, they go unchecked for the most part. They rake in hundreds of thousands of views all while serving up various adware and scams.

We downloaded hundreds of programs, all claiming to do something to help a player get ahead. While they were all indeed malicious, we were looking for a specific one. We created a small utility to help us sift through all these programs to find references to the URL’s we were detecting through error logging. After hours of painstaking searching, we struck oil.

Dear diary, jackpot!

We finally found a match in a hack claiming to allow players to generate free V-Bucks and use an aimbot, two birds with one stone, how could someone resist?

We then spun up a virtual machine and ran the hack, it immediately installed a root certificate on the device and changed Windows to proxy all web traffic through itself. A successful Man in the Middle Attack.

Now, the adware began altering the pages of all web request to add in tags for Adtelligent and voila, we’ve found the source of the problem — now what?

We began by sending an abuse report to the file host, and the download was removed promptly, this was after accumulating over 78,000 downloads. We also reached out to Adtelligent to report the keys linked to the URLs. We have not received a response at this time. SpringServe quickly worked with us to identify the abusive creatives and remove them from their platform.

We’ve also put out an alert to all infected users and increased our security by enabling certificate pinning, helping mitigate any future MiTM attacks. In the future, we will alert users when we detect any foreign activity that we think could be a sign of an infection. In total, we received 381,000 reports.

While it should go without saying, I think you should not download random programs. An excellent personal security tip is that if something is too good to be true, you’re probably going to need to reformat your PC. It is hard to outright prevent people from being malicious, but that doesn’t mean its hard to prevent spread.

Epic could do a better job at educating their users on these malicious programs and helping them understand how airtight Fortnites systems are at preventing cheating. I’d also recommend they spend more time moderating YouTube to help take down these videos to avert a countless number of people from pwning themselves. Sometimes the allure of cheating is powerful, and a strong presence is needed to help push people in the right direction.