Tens of thousands of Fortnite players have been infected by malware that hijacks encrypted Web sessions so it can inject fraudulent ads into every website a user visits, an executive with a game-streaming service said Monday.

Rainway CEO Andrew Sampson said in a blog post that company engineers first detected the mass infections last week when server logs reported hundreds of thousands of errors. The engineers soon discovered that the errors were the result of ads that somehow were injected into user traffic. Rainway uses a technique known as whitelisting that permits customers to connect only to approved URLs. The addresses hosting the fraudulent addresses—hosted on the adtelligent.com and springserve.com domains—along with unauthorized JavaScript that accompanied them made it clear the traffic was generated by malware infecting a large number of game players using the Rainway service. Rainway is a cloud-based service that lets people play PC games remotely, similar to PlayStation Now.

“As the errors kept flowing in, we took a glance at what these users had in common,” Sampson wrote. “They didn’t share any hardware, their ISPs were different, and all of their systems were up to date. However, one thing did stand out—they played Fortnite.”

Root certificate installed

Suspecting the malware was spread by one of the countless Fortnite cheating hacks available online that promise to give users an unfair advantage over other players, Rainway researchers downloaded hundreds of the hacks and scoured them for references to the rogue URLs. The researchers eventually found one Sampson declined to name that promised to allow users to generate free in-game currency called V-Bucks. It also promised users access to an “aimbot,” which automatically aims the character’s gun at opponents without any need for precision by the player. When the researchers ran the app in a virtual machine, they discovered that it installed a self-signed root certificate that could perform a man-in-the-middle attack on every encrypted website the user visited.

Sampson wrote: “Now, the adware began altering the pages of all Web requests to add in tags for Adtelligent and voila, we’ve found the source of the problem—now what?”

Rainway researchers reported the rogue malware to the unnamed service provider that hosted it. The service provider removed the malware and reported that it had been downloaded 78,000 times. In all, the malware generated 381,000 errors in Rainway’s logs. The researchers also reported the abuse to Adtelligent and Springserve. Sampson said that Springserve helped to identify the abusive ads and remove them from its platform. In an email sent a day after this post went live, AdTelligent VP of Marketing Nickolas Rekeda said the company pulled the ads as soon as it received notification they were being used in the malware campaign. "We never tolerate any kind of fraudulent activities and we provide a number of third-party scoring solutions to make sure any suspicious activities never take place," Rekeda wrote. Officials from Epic Games, the maker Fortnite, declined to comment.

Sampson also said that Rainway implemented a defense known as certificate pinning. Certificate pinning binds a specific certificate to a given domain name in order to prevent browsers from trusting fraudulent TLS certificates that are self-signed by an attacker or misissued by a browser-trusted authority. While the adoption of certificate pinning is a good defense-in-depth move, it unfortunately would do nothing to protect users against root certificates installed to perform man-in-the-middle attacks, as Google researchers have warned for years. That means the malware has the ability to read, intercept, or tamper with the traffic of any HTTPS-protected site on the Internet.

The rash of infections is the latest cautionary tale about the risks of installing shady software provided by unknown sources. People who suspect they have been infected should install antivirus protection from a name-brand provider and thoroughly scan their systems ASAP.

Post updated to ad comment from AdTelligent.