Imperva researchers estimate Fortnite scammers are earning nearly US$ 1 million annually through pay per click advertising by exploiting users eager to get free in-game currency.
Researchers identified campaigns which were described as being advanced in both their ‘marketing appeal' and their user interface looking to lure users into V-Bucks generators — a utility that supposedly creates free V-Bucks from thin air — and eventually tricks them into clicking on ads, according to a 26 July blog post.
"The entire scam revolves around leading users to the survey pools, promising free V-Bucks to motivate them to click on all the ads, and with each click, the site owner receives a payment," researchers said in the post. "Basing our calculations on a few hit sites, we estimate that one group of attackers has made over US$ 93,000 in the last month from this scam alone, according to data taken from SimilarWeb."
The threat actors disguise their motives and prevent site owners from deleting the spam they post by using several obfuscation methods. Many of the malicious URLs appear to lead to legitimate well-known sites and the pages that advertise the generator are hosted on innocent online services.
Once lured to the phishing pages, users are prompted to enter their username and are asked how much of the free currency they would like to receive before displaying a screen appearing to hack into the Fortnite Database but actually just running through the motions.
In the end, the user receives nothing and has potentially compromised their account while the threat actors are paid for the user's clicks.