Over a one month period from early September to early October, the ZeroFox team has generated over 53,000 alerts related to Fortnite scams. Of those alerts, an overwhelming majority, 86%, were generated from social media, with 11% coming from web domains and a little over 2% coming from Youtube. Considering the scope and reach of these scams and the average age of Fortnite players, understanding what these scams are, where they occur and how users can protect themselves is critical.
If there is a gamer in your inner circle, or you are one yourself, you’ve no doubt heard of Fortnite, the multiplayer game that has taken over the world for the last two years. With an estimated 43 million players, and growing, (that number is based on Jan 2018 figures), Fortnite is played by gamers of all ages. While technically the age requirement to play the game is 12 years old, there have been reports of children as young as 5 or 6 years old taking part. Issues of exposure to violence and graphic images aside, a big risk of allowing children of any age to play the game? Falling victim to scams.
The ZeroFox team has been hard at work identifying and remediating these scams across social media, mobile and digital platforms, which are targeting players of all shapes and sizes, from younger family members to organizations’ employees. Here’s what we’ve found.
Fortnite is free, so how do they make money?
New players looking to try out Fortnite for the first time will find that it’s free to play up front. This has been a driving force for many gamers, particularly young ones, to flock to it. Similar to many free games you see in the App Store or otherwise, there is the opportunity for in-game purchases. This is where Fortnite makes most of its money, and also where scammers have found success.
Called “V-Bucks,” this in-game currency allows players to buy items and “skins” (Fortnite lingo for how the players look in the game). While individual transactions cost only a few dollars, it’s clear that those few dollars add up: Fortnite is making an estimated $300 million a month on these in-game purchases.
V-Buck Scams 101
For players looking to save a few bucks or children whose parents won’t fund their gaming venture, they may be tempted to look for discounts or even “free” ways of earning V-Bucks to use in the game. It’s at this point that we want to be very clear: the only place you can get V-Bucks is through the Fortnite game itself, either through direct purchase or gameplay. There is no magic coupon site or online treasure trove of free V-Bucks. Yet, that hasn’t stopped bad actors from creating fake coupon sites and “V-Buck generators” to lure innocent players into sharing personal information, ranging from their Fortnite usernames and passwords to their credit card information and home addresses. Let’s take a look at what these scams are, how to identify them and how to make sure you (or someone you know) does not fall victim to them.
“V-Buck Generators” are hosted on sites that are similar in look and feel to Fortnite itself, particularly where you would purchase V-Bucks within the game. Here’s an example of how these work:
1. The player is prompted to enter their Fortnite username and password. The interface intentionally looks similar to the Fortnite platform.
2. The player is asked to verify that they are a human.
3. Human verification includes completing surveys or forms that collect personal information, including addresses, phone numbers, and credit card information.
Using domains that contain the word “Fortnite” and words like “gift” or “free” trick players into assuming that the sites are associated with the game itself. These often offer the ability to redeem free V-Bucks. This typically prompts the player to, at a minimum, click a link, and often fill out a form with their personal information.
As you can see in the image above, these V-Buck Generators also often encourage sharing with friends, further spreading the reach of this scam. With each share, players “earn” additional V-Bucks, and bad actors earn new information on the players. Through ZeroFox’s research, we’ve identified over 4,770 live domains related to these kinds of scams – and the number continues to grow.
YouTube Video V-Buck Scams
One platform that we have seen Fortnite V-Buck scams hosted is Youtube. Combined with promotion on other social media networks, these videos rely on clickbait to encourage views and shares.
Videos like the one above demonstrate ways “ to get free V-Bucks.” The link shown in the YouTube video above is malicious, leading to a form requiring the player to input their Fortnite username. After “loading” their information, the site prompts the player to complete a “quick and easy offer” to prove they are a human and not a web scraper bot. These “offers” include activities like watching a video through its entirety, or entering for a chance to win an iPhone X.
At the end of each “offer,” a link is provided to access the free V-bucks. This link brings us full circle to the domains discussed in the section above, further encouraging the user to share with friends and disclose personal information. Based on ZeroFox’s research, we found over 1,390 videos like the example above with a combined millions of views. These videos continue to be produced and their viewership continues to grow.
Social Media V-Buck Scams
Promotion for scams hosted on domains and YouTube are often first leveraged widely across social media. In recent months, social media has become a breeding ground for V-Buck Generator promotion. Since September 2018, the ZeroFox platform has generated 100s of alerts every day on social media posts with links to a single Fortnite scam website shown in our first example, fortnite-gifts.
Posts show bad actors relying on financial gain as a motivator to encourage unsuspecting players to share valuable personal information. Phrases like, “make quick money,” or “earn easy cash” should be major red flags for any user. Another important reminder is that if it seems too good to be true, it probably is.
Android Mobile App Scam
Beyond V-Buck generators, scammers have looked for other ways to capitalize on Fortnite players. While Fortnite has created a mobile app for the Apple Store, they have yet to do the same for the Google Play store. Instead, Fortnite provides a downloadable version of the popular game through their website, fortnite.com/android. This website is the safest way for Android players to download the game.
However, this has created a prime opportunity for scammers to create fake Android Fortnite apps as well as fraudulent websites prompting players to “download” the Fortnite app. Despite Fortnite’s best attempts to circumvent players from using these fraudulent websites through their forums and support, players continue to fall victim to these kinds of scams daily.
In a single month, the ZeroFox team generated thousands of examples of Fortnite scams across social media and digital platforms. These scams are directly targeting innocent players and could be affecting your employees, customers, family and friends. As with anything you do online, make sure to do your due diligence before sharing a username, credit card numbers or any other personal information. Play safe and stay secure!