The fraud generally centers around V-Bucks, the in-game currency that players use to purchase various items and upgrades. V-Bucks cost real money; Fortnite is free to play but reportedly raked in a billion dollars in revenue by May for Epic Games, a significant chunk of which came from in-app purchases. Scammers typically try to lure people who’d rather not pay up, offering “V-Cash generators” and fake coupons in exchange for personal information, credit card numbers, or ad clicks that generate revenue for the crooks.
“The biggest thing that surprised us was the professionalism that went into some of these websites, where they would design some of these V-Bucks sites with a lot of skill,” says Allen. “They made it look really legitimate, they had awesome user experiences, and as you go deep into those things, they made it really hard for people to differentiate between what was legitimate and what was not.”
The sites generally encourage visitors to click ads in order to unlock V-cash, which never materializes. Some of them deploy clever tricks, too, to appear not just valid but active, with fake messages from pretend Fortnite fans appearing onscreen or fake comment sections full of phony satisfied customers.
The domains also often had security certificates issued by Let’s Encrypt, which simply means that they provide encrypted connections. It’s a popular technique among scammers, because it makes any site appear safe, regardless of its actual intentions. “The issue here is not that phishing sites have certificates and use HTTPS,” says Let’s Encrypt head Josh Aas. “All websites, including phishing sites, should use HTTPS. The issue is that lock icons in browsers are misleading. Some people incorrectly interpret lock icons as a sign that a site’s content is safe or trustworthy, and that’s a completely separate issue from whether or not the connection is secure. “
The fortnite free v bucks generator navetic gaming scams ZeroFox tracked also stand out for their coordinated approach. “The more interesting ones that we found redirected from one social network to another. We’ve seen a lot of videos that would be linked from a post on Facebook, going to a video on YouTube, which then would link to a phishing or a scam domain,” says Allen. “It’s like they tried to connect a lot of these things to provide more of a sense of legitimacy to the victims. It builds trust.”
And while Fortnite scams have spread steadily for months, they lately seem to come in waves, says Ben Herzberg, head of threat research for security firm Imperva, which has also tracked these campaigns. That includes a recent surge around Labor Day and another at the end of last week. The platforms are generally responsive when alerted to these threats, but don’t expect them to disappear anytime soon. The domains are too hard to shut down, and the racket is too lucrative. In July, Imperva suggested that Fortnite scammers are on track to collectively haul in over a million dollars in 2018.