A hot potato: Being among the most played games on the market has made Roblox and Fortnite prime targets for scams and cyberattacks. However, their popularity among kids has made them especially desirable for cybercriminals. A recent report found fraudulent links targeting Roblox and Fortnite players hiding on dozens of .gov and .org domains promising free in-game content in exchange for personal information.
Security researchers at multiple organizations have revealed a wide-reaching cyber scam campaign hiding malicious links in search results and websites that should be trustworthy. Wired notes that the schemes include fraudulent offers related to many popular services. The most alarming are advertisements for free Roblox and Fortnite rewards targeting the youngest players.
The scams are designed to appear as highly-ranked search results when users search for things like free skins and currency for Fortnite, Roblox, and other online games. The bogus results lead to PDFs containing links that lead through a labyrinth of pages asking for your username and operating system in exchange for "generators" granting free rewards. They also often ask users to complete surveys, enter personal information, or download apps.
Some appear to be fishing for account information or juicing advertising numbers, while others lead to malware, with most written to target kids. Researchers at Human Security found that the PDFs had infected dozens of .gov and .org domains. At least one, for instance, belonged to the New York State Department of Financial Services.
Online games with microtransactions and extremely young userbases have long been targets for abuse. Last year, cybersecurity company Kaspersky found that Minecraft, Roblox, and FIFA suffered more cyberattacks than any other games. Over 200,000 users downloaded and installed a Google Chrome extension advertising itself as a Roblox utility, but it was just a cleverly disguised backdoor used to steal user credentials.
Researchers linked the malicious PDF scam to servers owned by a US-registered advertising company called CPABuild. Searching the firm's name brings up YouTube guides for how to make fast profits by building pages with CPABuild's tools, many offering free in-game content or currency.
Epic Games stresses that there is no legitimate way for players to sell, trade, gift, or trade V-Bucks – Fortnite's in-game currency. Roblox developers also advise users that it doesn't allow the exchange of its Robux currency through third-party channels and that any pages offering them for free are likely scams. Parents with children who play Roblox, Fortnite, or other popular games with microtransactions should warn them to be careful where they enter their credentials.