Game streaming service Rainway recently discovered adware plaguing over 78,000 Fortnite players. Rainway is a game streaming client installed on your PC that will stream your games to other devices using an internet connection. The platform itself includes a tracker that records error reports for the engineering team. To their surprise, hundreds of thousands of these reports began appearing on June 26, raising a red flag.
“Not feeling very excited to see such an influx of events on a Tuesday the engineering team was a bit flustered, after all, we hadn’t released any updates to that particular piece of our solution,” says Rainway CEO Andrew Sampson. “It became pretty clear soon after that this new flood of errors was not caused by something we did, but by something someone was trying to do.”
After examining the reports, the team noticed calls to various advertisement platforms. Given Rainway doesn’t include ads, they dug deeper and discovered that JavaScript was attempting to grab advertisements but couldn’t because only specific web addresses are whitelisted by the platform. The resulting JavaScript errors are what flagged the Rainway team.
A further examination confirmed that the problem had nothing to do with the Rainway platform itself. That pushed the team to seek out a common factor. Since customers have different hardware configurations and internet service providers, the only common factor in the error reports was Fortnite. More specifically, a Fortnite hack.
The beauty of PC games is that many can be modified. The dark side of this benefit is that hackers will take advantage of gamers wanting cheats, cool weapons, and armor. The team jumped on YouTube, discovered who and what hacks you can download for Fortnite, and installed “hundreds.” Most were malicious, but the team sought after one specific hack.
Ultimately, they struck gold. The offensive hack promised free V-Bucks (the in-game currency) and an auto-aim component. The team created a virtual machine and installed the hack to see adware route all internet traffic through itself. The result was a man-in-the-middle attack that generated web page requests containing tags for Adtelligent.
Sampson says Fortnite players downloaded the fake mod more than 78,000 times before it was pulled by the file host due to Rainway’s report. The team also contacted video ad serving platform SpringServe to identify the “abusive creatives” and Adtelligent to report the ad-based keys linked to the internet addresses.
“We’ve also put out an alert to all infected users and increased our security by enabling certificate pinning, helping mitigate any future MiTM attacks,” Sampson says. “In the future, we will alert users when we detect any foreign activity that we think could be a sign of an infection.”
Ultimately, Rainway received 381,000 reports stemming from the malicious Fortnite mod.
As Sampson points out, if something you download seems too good to be true, you may end up reformatting your PC. Mods are great for PC gaming, but only through controlled platforms that examine the legitimacy and safety of these user-created modifications. Not everyone has good intentions.
