Everyone with kids aged nine and above must be painfully aware of the highly addictive online game that became their single most popular post-school activity. And not just kids are playing it: teenagers, professional athletes, movie stars, and basically people with a lot of spare time all flock to Fortnite, the last-man-standing virtual battle simulation, spending dozens and sometimes hundreds of dollars to fund their insatiable appetite for more skins, more dance moves and more battle passes. Did anyone say V-Bucks?

Fraudsters have long recognized that Fortnite is a virtual island of opportunities. Making (criminal) money out of Fortnite is as easy as taking a lollypop from a child, because, well, many of the 78 million active gamers ARE pretty young. And not that folks the age of World Cup footballers are any less likely to fall for the myriad of Fortnite scams running wild these days. Trust me – those criminals are quite good. The game, whose developers already raked over a billion dollars this year, has certainly attracted a lot of cybercrime attention.

So – why don’t we take a look at some of the latest and greatest Fortnite cyber attacks?

In March this year, many Fortnite players realized their account has been compromised, and unauthorised charges amounting to hundreds of dollars have been made on their Epic Games accounts. Someone was playing using their credentials in areas of the game they haven’t purchased, or with battle passes they haven’t bought.

The trick is simple: first, compromise the user’s credentials through phishing, vishing (voice based phishing), or malware. Then, access the account from a new device, download the game, and use the payment mechanisms stored in the account to purchase additional virtual goods. Finally, sell the credentials in an auction site, claiming you’re the legit owner, you’ve got the most advanced gear and plenty of V-Bucks credit, but you’re no longer interested in the game – so the buyer can just go ahead, purchase the credentials, change the password if they really feel like it (most of them won’t), and have fun.

It should be noted that the game developers may soon - if they haven't already - use device binding to make sure only trusted devices can be used to order new V-Bucks or battle passes. But as the financial industry knows, trusted devices are... well... not to be THAT trusted.

And the same applies to two-factor authentication. In the UK, the entire banking market moved to 2-factor authentication ten years ago, and fraud levels still increase each year as a combination of malware, remote access and social engineering is being used to trick users to provide the 2-factor authentication code. And, about 80% of fraud is coming from trusted devices. So while it may help in the short term, protecting such a lucrative target will certainly take more than that. 

A much more basic attack on young children is a youtube clip showing how you can ‘make a lot of V-Bucks’. Kids may barge into your kitchen with super excited expressions on their little facing telling you they just uncovered this amazing clip allowing them to do just that. Those lead to fake sites asking for credentials, game verification codes, or just ads. There are also V-Bucks Generator sites, fake domains resembling the original developers’ sites, and social media campaigns leading to those bogus resources.

Before Fortnite was made available on iPhone, plenty of rogue apps pretending to be Fortnite popped up in the app store. Those normally have malicious capabilities, and some of them contain remote access features that allow taking over the user’s mobile device. The same thing also happened before the game was published on Android; Zscaer researchers found that one of the fake ups had over 4000 five star recommendations, making it a highly popular download. A good analysis of how rogue apps trick users can be found in Sophos’ Naked Security blog here.

With such a massive revenue stream and monthly growth, I’d be surprised if Fortnite developers aren’t going to invest in protecting their asset from attacks almost as if it were a bank or a crypto exchange. Kids need to trust the game, their parents need to trust it too, and reputation is perhaps the one thing in Fortnite you can’t buy with V-Bucks…

So, what best practices should you teach your kids around Fortnite?

• There are no free lunches. Any promise for free or discounted Fortnite goods or V-Bucks are fake
• Be careful when downloading apps from the app store or google play. There have been many fake Fortnite apps and they can do nasty things
• Don’t let anyone you don’t know to convince you to install an app on your mobile or PC – especially not in order to give you ‘remote assistance’ so they can fix something.
• If you use your account from a shared computer, log out after playing and don’t allow the school computer’s browser to save your password for the next person to use!
• Your account might be compromised, and daddy or mommy might be charged hundreds of dollars if you don’t keep your password safe. 
• Don’t give your password over the phone to anyone, don’t give it to any website except the Fortnite application itself. 
• While playing, avoid sharing information about yourself, family and any other private details to people you don’t know
• If Fortnite offers 2-factor authentication, use it - but ONLY give the code inside the app, never when someone else asks you to, even if it sounds really convincing!
• If you think someone is mis-using your account, ask your parents to report it to the game developers at their support page.