Cyber Incident Victim: Stanford University

On or around April 20, 2023, a malicious campaign was identified targeting university websites utilizing the MediaWiki and TWiki content management platforms. The primary objective of the attack was to compromise these web properties to host and serve spam content related to the online video game Fortnite and fraudulent gift card offers. The incident was initially brought to public attention by a Twitter user known as g0njxa, who identified and reported over a dozen compromised sub-domains belonging to prominent U.S. universities. Researchers confirmed that the list of affected institutions included Stanford University, the Massachusetts Institute of Technology (MIT), the University of California, Berkeley, the University of Massachusetts Amherst, Northeastern University, the California Institute of Technology (Caltech), and the University of Michigan. This indicated a broad campaign specifically aimed at the higher education sector in the United States.

The attackers exploited security vulnerabilities within the targeted wiki platforms to upload unauthorized pages and documents. These newly created pages were designed to mimic legitimate promotional offers, luring visitors with claims of providing free Fortnite V-Bucks (the game's in-game currency), gift cards, and cheats for the popular game. Instead of delivering the promised digital artifacts, the compromised pages redirected users to bogus websites. These fraudulent sites functioned as phishing platforms, presenting users with forms that prompted them to enter their personal credentials, thereby harvesting their account information. In other observed instances, the sites promised gift cards in exchange for users completing lengthy and deceptive surveys, which are a common tactic for generating illicit advertising revenue or collecting personal data.

While the primary focus of the campaign was on U.S. university systems, the threat actors also targeted other organizations. The scope of the incident expanded to include government websites, demonstrating that the underlying vulnerability or attack method was not exclusive to the academic sector. Confirmed non-academic victims included mini-sites operated by a Brazilian state government and, notably, the European Union's official Europa.eu domain. In the case of Europa.eu, the spammers abused the Europass e-Portfolio service, a job search portal that allows individuals to create, upload, and host their CVs and cover letters in PDF format. The attackers uploaded spam documents disguised as PDF resumes or portfolios to this service, effectively using a European Union job platform to host and disseminate their malicious content.

The exact method of initial compromise remained unclear at the time of public reporting. Security researchers and analysts investigating the campaign could not definitively identify the specific exploit or vulnerability being leveraged by the threat actors to gain unauthorized access and upload privileges. It was noted that the MediaWiki project had released security updates the previous month, in March 2023, to address multiple vulnerabilities in its software. However, an initial assessment indicated that none of the patched flaws appeared to be directly relevant to the techniques observed in this active malicious campaign. This uncertainty suggested that the attackers may have been exploiting an unpatched vulnerability, a common misconfiguration, or a separate weakness not yet publicized or addressed.

The immediate impact of the incident was the defacement of university and government web properties, damaging their public image and credibility. For the affected universities, their compromised wiki and documentation subdomains, which are often used by students, faculty, and researchers for collaborative work and information sharing, were repurposed for criminal activity. This misuse transformed trusted educational resources into platforms hosting phishing and spam content, posing a direct security risk to any visitor who might interact with the malicious links. The consequences for users who fell for the scams could include the theft of their Fortnite or other gaming account credentials, loss of personal data submitted through fake surveys, and potential financial loss if linked accounts were compromised.

In response to the discovery, security researchers and threat intelligence analysts, including those from BleepingComputer, confirmed the campaign was live and actively serving malicious content. The primary response action recommended for system administrators responsible for MediaWiki and TWiki installations was to conduct comprehensive sweeps of their websites to identify and remove any unauthorized spam pages and malicious content. The advisory specifically suggested searching for resources containing keywords associated with the campaign, such as 'gift card,' 'Fortnite,' 'V-Bucks,' and similar terms. This reactive measure was necessary for containment and eradication of the threat from the compromised systems. Furthermore, a public service announcement was issued directly to users, advising them to refrain from clicking on any suspicious links found on university wiki pages or other potentially affected sites to mitigate the risk of falling victim to the phishing schemes. The investigation into the root cause of the widespread compromises was reported to be ongoing.