Websites from several universities, including Stanford, Berkeley, and the Massachusetts Institute of Technology, have been found to be spreading phishing spam related to the game Fortnite, as well as offering fake “gift cards”. It appears that resources running on TWiki and the MediaWiki CMS have been massively attacked.
The first to spot the massive compromise of university resources was an information security researcher known by the nickname g0njxa. He reported that dozens of subdomains of well-known educational institutions in the United States had begun to distribute spam related to Fortnite.
According to Bleeping Computer, the affected resources are powered by TWiki or MediaWiki, the latter being a CMS that powers Wikipedia and a number of Wikimedia sites.
Hacked Wikis lure readers to phishing sites, where they are offered free gift cards in exchange for participating in bogus surveys, Fortnite’s in-game currency, and various cheats. In reality, these pages are phishing forms that ask for and steal user credentials.
Journalists have stated that while the malware campaign primarily targets MediaWiki-powered university websites, government websites appear to be affected by the same hackers. These include mini-sites of the Brazilian government and the European Europa.eu. In the case of Europa.eu, spammers are exploiting the Europass e-Portfolio service, a job search portal that allows EU residents to create PDF resumes and cover letters.
It is not yet clear which exploit the attackers are using to upload spam pages and PDF documents to Wiki sites. Last month, MediaWiki released patches that fixed many vulnerabilities, but none of these patches are clearly linked to the ongoing malware campaign.
Researchers strongly recommend that MediaWiki and TWiki administrators check their sites for spam and malicious content. It is advisable to search using keywords such as “gift card”, “Fortnite”, and so on.
