A vast network of scams targeting young users in popular online games like Roblox and Fortnite has been discovered, using thousands of compromised websites, including those of government agencies and universities, to push deceptive offers.
Security researcher Zach Edwards has spent over three years tracking this extensive scheme, linking it back to the activities of an affiliate network associated with an advertising company called CPABuild. These scams, often masked as game promotions, employ sophisticated techniques to manipulate children into downloading malware or providing personal information for fake rewards. The complex nature of the scams and the compromised websites make this a unique and alarming online threat.
The scams involve a similar pattern where attackers exploit vulnerabilities in websites’ backends or content management systems, uploading malicious PDF files referred to as “poison PDFs.” These files are designed to show up in search engine results and promote false offers such as free in-game currency or movie streams. Clicking on links in these poison PDFs leads users through multiple websites to scam landing pages.
Despite the complexity of these operations, the research shows that all compromised websites with uploaded PDFs link to command-and-control servers owned by CPABuild, revealing the extent of their involvement.
CPABuild, an advertising firm established in 2016, serves as a “content-locking network” and hosts tasks for users to complete in exchange for rewards. Affiliates of CPABuild are responsible for promoting these offers, often using spamming tactics. Despite the company’s claims of daily fraud checks, Edwards’ research reveals rampant fraud and exploitation within their network.
While gaming companies and cybersecurity experts emphasize the deceptive nature of these schemes, their prevalence underscores the critical need for robust online safety measures to protect children from falling victim to such scams.
