Hey guys, welcome back. I have another episode for you. I got two articles to talk about, both game related. We have one from Bleeping Computer and one from Dark Reading, both involving video games. One is about the FTC distributing 72 million in Fortnite refunds. And the other is about a cryptocurrency game, or crypto game, that is being exploited to pretty much steal money.
But it’s not by the developer and you’ll see what I mean when I talk about it today. We’re facing an unprecedented array of data breaches hacking attempts and surges in digital crime Why is there such a widespread amount and how little is noticed in our everyday lives? Malware dark sites brute forcing zero day script kiddies and nation state hackers are all on the rise Learn more about the threats we face and gain a bit more knowledge than yesterday Hey everyone, another episode of Exploit Brokers is coming to you now.
Hey guys, if you can do me a favor because it helps the channel grow, if you can hit like, subscribe, and the bell notification icon if you’re on YouTube. If you’re on the podcast platforms like Spotify or Apple Podcast or any of those, please give us a follow or subscribe and give us a five star rating.
It helps the show if you think we deserve it. And with that said, let’s get into it. So, the first article is by Bleeping Computer, FTC distributes 72 million in Fortnite refunds from Epic Games. So, the Federal Trade Commission, FTC, is distributing over 72 million in Epic Game Fortnite refunds for the company’s use of Dark Patterns to trick players into making unwanted purchases.
So Dark Patterns, this kind of goes more into the world of social engineering, which is kind of like human hacking, if you want to call it that. But Dark Patterns is any kind of pattern, and I’m pretty sure you’ve seen them before. That kind of gets the player to go in a direction that favors the business or the company or the entity leveraging dark patterns If you’ve ever seen like a big button that says, you know continue with pay and then at the very bottom in almost transparent letters um, like cancel or in emails if you’ve ever seen the unsubscribe button is kind of Like built into that long text at the bottom with the same color, and it’s not very obvious.
That’s a dark pattern a lot of the Loot boxes and things that make it very flashy and almost like gambling is also a dark pattern. You’re exploiting human behavior and human emotions to try to get some kind of outcome that the business or entity wants. It is commonplace, it probably shouldn’t be, but it is pretty commonplace in a lot of places.
And now, you know, we’re seeing Epic Games. They’re being forced to pretty much give money back because of this. So, this is part of the record breaking 245 million settlement the agency reached with the game publisher in December 2022. The settlement addressed allegations That Epic games used dark patterns to trick players into unwanted purchases.
The FTC alleged that fortnight’s counterintuitive, inconsistent, and confusing button configuration led to players of all ages to incur unwanted charges based on the press of a single button reads the FTC press release. For example, players could be charged while attempting to wake the game from sleep mode while the game was in a loading screen.
Or pressing the Jason button while attempting to simply preview an item. Additionally, epic Games was accused of allowing unauthorized charges by children and restricting access to purchase content for users who disputed those charges. So as far as I’m aware, when you’re talking about Fortnite, it is very popular among younger crowds.
Granted, there’s probably adults who play it. I’m not saying that it’s only for younger, you know, younger audience kids and stuff like that. But it seems to be that Fortnite specifically has a lot of young audience that are attracted to it, right? You also have stuff like Call of Duty that also brings out some young audience who want to play it, but Fortnite Tends to be this very cartoony over the top game, right?
It’s a battle royale, which for my listeners, um, a battle royale is kind of like, if you’ve ever heard of a first person shooter, a battle royale is like, I don’t know, I think maybe 50, a hundred people, it’s a lot of players that get thrown into a match and then it’s one, one to rule them all pretty much King of the Hill.
And. With that, you have a lot of cosmetic items that go into it, and that’s where the money is getting spent, because Fortnite is a free game to play, but where the money comes in is the skins. You can buy skins and other stuff to give your cosmetic upgrades, and that’s something you’re seeing in a lot of video games now.
Call of Duty does it, Halo Infinite does it. And several other, um, several other genres do it as well. I’m more familiar with the, uh, first person shooter, the FBS genre, but they’re starting to do that where, you know, there’s season passes and the season passes lets you get cosmetic items and stuff like that.
Well, the dark patterns is essentially ways to trick into buying these cosmetic upgrades and other stuff by pretty much making it harder to say no. With through loot boxes through, you know, inconsistent UI according to the FTC. Now, I haven’t played Fortnite enough to tell you, but this is something that we’ve been seeing across the board on several games now using it.
So Fortnite players received the first 72 mil. That’s the subheader. The FTC announced that the first round of refunds has started. 629, 344 Fortnite players who previously submitted a request for reimbursement will receive an average of 114 dollars. Now, I kind of find that significant, and for a very bad reason.
Depending on when you would have played video games, if you ever played video games, video games in the 2000s were like 60. And DLC content wasn’t that, the downloadable content wasn’t really that big. In the early 2000s, once you got to like the mid to late 2000s, I think the DLC content got a bit more, but game passes and all this, or it’s pretty much just DLC content taken up another notch.
And the fact that they’re spending 114, I think right now, if you wanted to buy. Call of Duty outright. It’s like 70 plus thing about the season pass and all that. But you, you have people that are spending on average, according to this 114 on a free to play game to buy cosmetics. And I mean, they, they really figured out the strategy, right?
You get as many people to play on it free, and then you get a bunch of money out of it anyways. So you get a bigger audience reach. Now, those who opted for PayPal payments are given 30 days to redeem the amount while those who chose checks have 90 days to cash the checks. I could understand that if you don’t have PayPal, a check is a check.
I’m gonna skip some part about the money, but if you are affected check out the article in the link description It’s linked in the description and there talk about where to email and stuff like that for the refund Now to continue if you’re an adult who got charged in game currency for unwanted items on fortnight between January 2017 and September 2022 your child made an unauthorized charges to your credit card between January 2017 and November 2018 You’re not eligible for a refund Or, your account was locked between January 2017 and September 2022, after disputing wrongful charges, you may be eligible for a refund.
I know, it’s kind of giving those vibes of like the early 2000’s uh, Mesothelioma campaign. I’m not going to say anymore because I, I, I just, I thought that was a funny comparison. Um, ultimately guys, this is stuff that is Just it’s happening, right? There’s claims that are being made against it and there was a settlement.
That’s just kind of where life is. Now, something that the article says, and I am definitely gonna like double down in a second. The article states, beware of scammers using FTC’s refund round to trick people into giving away personal information, account passwords, or money under the pretense of clearance fees.
Guys, you will always have scammers trying to scam. Scammer no scamming. But what we see often is whenever there’s government programs, I think we saw it during the pandemic in the U. S. when they were giving out stimulus checks, and I figure other countries have similar problems, but whenever the government or any government tries to do something, um, Scammer will take that as a way to impersonate a government because now it gives them authority and right there’s money on the line There’s a deadline.
This is kind of like prime fuel because scammers rely on urgency They rely on a fake authority and several other things to try to get their point across and get your money So if you were affected by this, there is no clearance fees. Go check out the FTC Go straight to the trusted source. Don’t believe anything that you’re just getting a random email about or otherwise.
And be careful the websites you click because I’m assuming there’s probably gonna be a dozen websites all pretending to be Fortnite refund that you can be eligible even if you never played. Something like that. Not sure. With that, let’s go on to the next one. So, our second article is by Dark Reading.
Lazarus Group exploits Chrome Zero Day in latest campaign. The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine looking game site and AI generated content and images. And before we even jump into the article, I want to break down two things, right? Crypto or cryptocurrency has a lot of avenues that it’s been used, right?
You have the currency itself, think Bitcoin, Ethereum, and then you have stuff that got built on top of it, which is where you get like NFTs, crypto games, and other stuff. And all that to say, right, you have the extension of this technology into. Similar things, right? You have the NFTs and distributed applications, the dApps and stuff like that.
And they’re all tied to the underlying cryptocurrency mechanism. Now the AI generated content, this is something I think I said a couple of episodes ago and check out the other episodes if you guys haven’t, but it’s something I’ve been saying and something that I stand heavily behind, right? AI. Whether you like it or hate it is changing the game.
In this case, AI is being used by a threat actor, North Korea, and that’s who Lazarus is, but you have it being used by this threat actor to generate marketing campaign material, to generate stuff. I believe there was a recent thing I read where You even had a major splash screen of a major game that might be under fire because the zombie had like six fingers and you know Human zombies don’t have six figures, but AI is really horrible at fingers So it kind of became obvious that they most likely use that.
I haven’t looked into it heavily. I’m just kind of going by it based on what I was kind of skimming the other day, but here a threat actor is using AI in both content and images to further expand on their capabilities, right? North Korea is not going to be the most fluent English speaking country. And I would argue, you know, their citizens are oppressed, et cetera.
They don’t have the best education system. There’s a bunch of things going on here, but with. With the advent of AI, you now have a bunch of threat actors, not just, uh, Lazarus, but you have any threat actor in the world, or even any cyber criminal, or just anyone, can take this AI and generate a bunch of content, whether that’s images, video now, which is really cool, or text information, which you can then expand on, right?
So, I think we’re going to see a lot of scams and other stuff leveraging AI because it just becomes really powerful. But with that, let’s kind of go into this case. And don’t worry, I’ll bring up AI and cybercrime down the road again anyway. North Korea’s infamous Lazarus Group is using a well designed fake game website, a now patched Chrome Zero Debug, Professional LinkedIn accounts, AI generated images, and other tricks to try and steal cryptocurrency from users worldwide.
The group appears to have launched the Elaborate campaign in February and has since used multiple accounts on X and tricked influential figures in the cryptocurrency space. to promote their malware infected crypto game site. There’s a lot to unpack. So they’re using LinkedIn, they’re using AI, they’re using X, they’re using as many avenues to spread this, right?
And that’s something you see with video games, right? The really popular video games that are like really trying to squeeze as much money, like pay to win style do really, really good guerrilla. I don’t even want to say guerrilla marketing, but guerrilla marketing, viral marketing, whatever you want to call it to get to the end users who are going to spend money.
In this case, They’re trying to get to users who are going to install it and they can steal money from, right? It’s an interesting different way to go, but it makes sense, right? They’re not in the game development or in any of this other they’re in the hacking game. Over the years We have uncovered many Lazarus attacks on the cryptocurrency industry and one thing is certain these attacks are not going away Said researchers at Kaspersky.
After discovering the latest campaign while investigating a recent malware infection Lazarus has already successfully started using generative AI You And we predict they will come up with even more elaborate attacks using it, the security vendor noted. Yes, I am 100 percent on this. I think we’re gonna see AI just completely augment and enhance and transform the cyber security space.
It’s not just the generative AI, it’s the large language models. It’s just every aspect of AI is being used, right? From the generative side, to the LLMs, to pretty much anything else you can imagine, they’re gonna definitely start to bring this up. Whether it’s code development tools, it’s just gonna keep going, and going, and going.
Now granted, with the current iteration of AI that they may hit a stalemate until, you know, The next generation of GPT model, or the next generation of Lama model comes out and it has better capabilities. But that just means they’re gonna go really quick, hit a plateau, and then go really quick again. The state sponsored group Lazarus Group may not be quite a recognizable name yet, but it is easily among the most prolific and dangerous cyber threat actors in operation.
Which again, Lazarus is North Korea’s, one of their threat actors. Since making headlines with an attack on Sony Pictures back in 2014, Lazarus and subgroups such as Andoril, and Blunarov, have figured in countless notorious security incidents. These have included the WannaCry ransomware outbreak, the 81 million heist at Bank of Bangladesh, and attempts to steal COVID vaccine related secrets from major pharmaceutical companies during the height of the pandemic.
So threat actors will always carry out the will and the wants of the nation that they And in this case, it’s North Korea, and North Korea has, I would argue, a handful of reasons why they’d be doing different things. The article goes into it, so I’ll circle back in a second. Analysts believe that many of the group’s financially motivated attacks include those involving ransomware, card skimming, and cryptocurrency users are really attempts to generate revenue for the money strapped North Korean government’s missile program.
We, you know, it’s no secret, North Korea wants to fund and build out their nuclear and their missile programs, and All their, all their military, right? Major country doesn’t, but I digress here. They’re using a lot of hacker methods because they can get a 1000 X return, right? You spend, call it a hundred thousand for like 10 mil in stolen cryptocurrency, which is already, you know, when you talk about like the banking system, right?
You have Swift and bricks and all these other ones. These are all controlled by major companies, or by major, not companies, these are all controlled by major countries. But cryptocurrency is distributed, right? So, if you can steal something, it’s gone. There is no way to get that money refunded, there’s no way to cancel that transaction once it’s been thrown on the ledger.
It’s, it’s governed by all the entity that exists within, you know, within crypto. It’s, it’s a distributed ledger, right? And if you, once you get that transaction in there, that’s it. You can’t undo it. You can do another transaction to refund the money, but then that’s a new transaction. It’s not undoing of the previous transaction.
In the latest campaign, the group appears to have refined some of the social engineering tricks employed in past campaigns. Central to the new scam is detangzone. com. A professionally designed product page that invites visitors to download an NFT based multiplayer online tank game. Kaspersky researchers found the game to be well designed and functional, but only because Lazarus actors had stolen the source of a legitimate game to build it.
And that’s something you see with threat actors, right? Sometimes they’ll buy it, build it, make it, blah blah. Now, Kaspersky found the website to contain exploit for two Chrome vulnerabilities. One of them is tracked as CVE 4947. It was a previously unknown zero day bug in Chrome’s v8 browser engine. It gave attackers a way to execute arbitrary code inside a browser sandbox via a specially crafted HTML page.
Google addressed the vulnerability in May after Kaspersky reported the flaw to the company. So, most web browsers now use a sandbox. A sandbox is essentially a segmented piece of memory where you can run stuff in. And that’s beneficial because you need to take advantage of flaws to break out of that sandbox.
Inherently, the sandbox makes the web browser safer. You need more sophistication to do more damage, right? You can’t just run a random virus in a sandbox and hope you can do stuff. It really involves doing more. Now, the other Chrome vulnerability, which kind of comes into the sandbox, that Kaspersky observed in the latest Lazarus Group exploit, is that it does not appear to have a formal identifier.
It gave the attackers a way to escape the Chrome V8 sandbox entirely. And gain full access to the system. This is where you see a lot of, a lot of vulnerability chains happen, right? A vulnerability chain, right? You’re chaining one room vulnerability to another vulnerability to another vulnerability.
Maybe one vulnerability gives you access to the system. One vulnerability lets you escalate privileges. One vulnerability lets you break out into a remote code execution. You keep chaining them to get to the ultimate goal, which is control of a system. That’s oversimplifying, but you get where I’m going.
The threat actor used that access to deploy shellcode for collecting information on the compromised system before deciding whether to deploy further malicious payloads on the compromised system, including a backdoor called Manuscript. Shellcode is a piece of software that gives you a shell. A shell being the command line, the CLI, the terminal, depending on the operating system you’re using, different nomenclature, but it all means a a text based way of interacting with the computer that is more powerful than just GUIs.
And I know there’s probably going to be someone listening that can do like GUI stuff on a Linux terminal, I’m talking about just the general run of the mill shell. And a backdoor Most likely, you know, stuff you can call like rats, Trojans, etc. There’s a backdoor that gets installed called Manuscript, and that’s a variant I think that we’ve been seeing Lazarus use.
What makes the campaign noteworthy is the effort that Lazarus group’s actors appear to have into its social engineering angle. They focus on building a sense of trust to maximize the campaign’s effectiveness. Designing details to make the promotional activities appear as genuine as possible. Kaspersky researchers Boris Larin and Vasily Berdkanov wrote, They use multiple fake accounts to promote their site via X and LinkedIn along AI generated content and images to create an illusion of authenticity around their fake game site.
Back to what I was kinda saying earlier, you have these technical AI to be creative on their behalf, right? Once you get really good at prompting, once you get really good at this, You can create something that’s like 80 percent as good as you need, or 90 percent as good as you need to fool most people, right?
There’s this whole debate on whether AI stuff is real art and blah blah blah, but I’m not talking about the, the validity of it being art or not. I’m talking about AI being used. And it’s good enough to make something look really good. That makes most people want to click because most people are not going to look at an AI generated image of a tank and realize that there’s something off about the tracks or realize there’s something off about the driver.
They’re going to glance at, they’re going to say, look, school, they’re going to click and download. Right. And that’s what a lot of these scams, we’re not scams, but that’s what a lot of these campaigns kind of work on, right? Social engineering, you’re. Attacking or you’re hacking the weakest point in security, which most of the time is humans.
A human will click and that’s where it all kind of goes through. Now, the attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence, not only to distribute the threat, but also to target their crypto accounts directly. Laren and Bernankoff.
And this is why for any people who do YouTube or any people who are active on the internet, I know you’re listening to this, but to anyone who’s active, You always have to be careful of who you trust and what you click. Just because an influencer says, go do this thing. Don’t do it. There’s been so many scams and so many shill coins that it’s not even funny.
Crypto could be a very cool and useful piece of tech, but there’s so much scam and so much fraud around it that most people I think are starting to shy away from it. And that’s a shame because crypto really holds a useful application, right? And it’s, it’s just a cool piece of tech, right? When you talk about the distributed apps or the dApps, right?
There’s a lot of good use that you can for them. Not just to make a quick buck and not just to make a game. There’s always a use for different things, especially when you consider that the whole point of crypto was a trustless system, right? You don’t have to trust a central authority. It’s all generally approved by the whole network.
Now there’s, I believe, proof of work versus proof of stake. There’s different mechanisms that go into that, but as a general rule, it’s a way for you to be able to buy into a system without having to have inherent trust In a single entity, but guys, I want to thank you for tuning in. This has been Cipherceval, also known as Lauro, and this has been another episode.
I will catch you in the next one.
Note: This is a transcript of the show.
🔗 References & Sources
* Fortnite Refunds: https://www.bleepingcomputer.com/news/gaming/ftc-distributes-72-million-in-fortnite-refunds-from-epic-games/
* Defi Lazarus: https://www.bleepingcomputer.com/news/security/lazarus-hackers-used-fake-defi-game-to-exploit-google-chrome-zero-day/