Cyber Incident Victim: Massachusetts Institute of Technology
Date:
Apr 2023
Location:
United States of America
Summary
A cyber incident compromised the Massachusetts Institute of Technology along with several other prominent universities. Threat actors hacked wiki and documentation pages running on MediaWiki and TWiki platforms to serve spam content. The compromised pages lured visitors with offers for fake Fortnite gift cards and cheats, redirecting them to phishing forms designed to harvest user credentials. The malicious campaign also affected some government websites, including a European Union portal.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around April 20, 2023, a malicious spam campaign was identified targeting the wiki and documentation websites of multiple prominent United States universities, including the Massachusetts Institute of Technology. The campaign involved the compromise of these web properties to serve fraudulent content. Researchers, including a Twitter user identified as g0jnxa, observed that over a dozen university sub-domains had been hacked. The affected websites were running either the TWiki or MediaWiki content management system platforms. MediaWiki is the same software that powers Wikipedia and other Wikimedia Foundation websites.
The primary objective of the attack was to upload spam pages that lured visitors with offers of free digital goods. The compromised pages promoted bogus offers for 'Fortnite Bucks,' which is the in-game currency for the popular video game Fortnite, as well as 'free gift cards' and game cheats. These pages were not legitimate offers but instead functioned as landing pages for phishing operations. When users clicked on the links, they were directed to fake Fortnite pages that presented phishing forms designed to steal user credentials. In other instances observed by security researchers, the sites promised gift cards in exchange for users completing fraudulent surveys.
The scope of the incident extended beyond the initial set of university targets. BleepingComputer confirmed the campaign was active and had also impacted the website of the University of Michigan. Furthermore, the same threat actors targeted websites beyond the educational sector. This included mini-sites operated by a Brazilian state government and, notably, the European Union's official Europa.eu domain. On the Europa website, the spammers specifically abused the Europass e-Portfolio service. This service is a job search portal that allows individuals to create and upload their CVs and cover letters in PDF format. The attackers exploited this functionality to upload spam PDF documents alongside the web pages.
The technical method of compromise remained unclear at the time of public reporting. Investigators could not determine the specific exploit or vulnerability the threat actors were leveraging to gain unauthorized access and upload their content to the wikis belonging to these legitimate organizations. A review of recent security patches showed that MediaWiki had released security updates the previous month, in March 2023, addressing multiple vulnerabilities in the platform. However, an initial assessment indicated that none of these patched flaws appeared to be directly relevant to the ongoing malicious campaign, leaving the initial attack vector unconfirmed. The investigation into the root cause was ongoing.
The immediate impact of the incident was the defacement of university web assets and the erosion of trust for visitors who encountered the compromised pages. The presence of spam and phishing lures on reputable .edu domains lent an air of legitimacy to the fraudulent offers, increasing the risk that students, staff, or other visitors could have their credentials stolen. For the institutions themselves, the incident posed a reputational risk and a potential security threat to their broader communities. The abuse of the Europass service on the Europa.eu domain represented a significant escalation, demonstrating the campaign's ability to compromise government-level digital services for the same spam purposes.
In response to the discovery, the recommended course of action for system administrators responsible for MediaWiki and TWiki instances was to conduct comprehensive sweeps of their websites to identify and remove any spam or malicious content. The advice was to search for resources containing keywords associated with the campaign, such as 'gift card' and 'Fortnite.' Additionally, a primary public advisory was issued directly to users, instructing them to refrain from clicking on suspicious links found on any compromised wiki pages to avoid falling victim to the associated phishing schemes. The public disclosure of the campaign served as the main method of alerting the affected organizations and the wider academic community to the threat.