Cyber Incident Victim: Europa.eu

On or around April 20, 2023, a malicious spam campaign was identified targeting the websites of multiple prominent U.S. universities and some government entities. The campaign was first brought to public attention by a Twitter user known as g0njxa, who identified over a dozen compromised sub-domains belonging to these institutions. Researchers confirmed that the affected websites were running either the TWiki or MediaWiki content management system platforms. MediaWiki is the same software that powers Wikipedia and other Wikimedia Foundation websites. The primary goal of the attack was to compromise these wiki and documentation pages to serve spam content to visitors.

The compromised university websites included those belonging to Stanford University, the Massachusetts Institute of Technology (MIT), the University of California, Berkeley, the University of Massachusetts Amherst, Northeastern University, the California Institute of Technology (Caltech), and the University of Michigan. BleepingComputer confirmed the malicious campaign was live and actively serving spam from these scholastic websites. The attackers uploaded spam pages to the compromised wikis, which lured readers into visiting bogus sites. These sites claimed to be offering free gift cards, 'Fortnite Bucks,' cheats, and other digital artifacts related to the popular online game Fortnite.

The malicious domains linked from these spam pages loaded fake Fortnite-themed websites. These sites were effectively phishing forms that prompted unsuspecting users to enter their credentials, likely to steal their account information. In other observed instances, the compromised sites promised users gift cards in exchange for completing bogus surveys, which is a common tactic to generate revenue through ad clicks or to harvest personal information from victims. Although the campaign primarily targeted university websites built with MediaWiki and TWiki, it was also confirmed that some government websites were impacted by the same threat actors.

This broader targeting included mini-sites hosted by a Brazilian state government and, notably, the European Union's official website, Europa.eu. In the specific case of Europa.eu, the spammers abused the Europass e-Portfolio service. Europass is a job search portal that enables prospective European residents to create, upload, and host their CVs and cover letters as PDF documents. The threat actors exploited this functionality to upload spam pages and PDF documents containing the same fraudulent Fortnite and gift card offers, thereby leveraging the legitimacy of the European Union's domain to lend credibility to their schemes.

The exact method of compromise remained unclear at the time of reporting. It was not known what specific vulnerability or exploit the threat actors were leveraging to upload their spam pages and PDF documents to the websites of these legitimate organizations. While MediaWiki had released security updates the previous month, in March 2023, to fix multiple vulnerabilities in its platform, none of the patched flaws appeared to be directly relevant to the techniques used in this ongoing malicious campaign. The investigation into the root cause of the widespread compromises was continuing.

The impact of the incident was the defacement of numerous high-profile educational and governmental web properties. The presence of spam and phishing content on these trusted domains posed a significant risk to users, who might be more inclined to believe offers presented on a university or official government website. The immediate consequence was the potential for credential theft and financial scams targeting individuals, particularly younger audiences interested in Fortnite. The reputational damage to the affected institutions was another significant consequence, as their digital assets were used to host malicious content.

In response to the incident, security researchers advised system administrators responsible for MediaWiki and TWiki installations to sweep their websites for any unauthorized spam and malicious content. They were recommended to specifically search for resources containing keywords associated with the campaign, such as 'gift card' and 'Fortnite,' to identify any compromised pages. Additionally, a general warning was issued to users, advising them to refrain from clicking on suspicious links found on wiki pages, even those hosted on otherwise trusted domains. The public disclosure of the campaign served as the primary method for alerting both administrators and potential victims, prompting a containment effort through the identification and removal of the malicious pages.