Cyber Round-up

Cyber Round-up for 18th January

Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and handpick some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

  • Fortnite User Accounts at Risk from Old School Attacks
  • Pre-Valentine’s Love Letters deliver Malware
  • Collection #1 Data Breach
  • Running a TP-Link VPN Router? Then it’s Time to Patch
  • HMRC Tax Refund Phishing Emails

Fortnite User Accounts at Risk from Old School Attacks

Fortnite, the mega popular last man standing online game by Epic Games, has been in the news this week for another vulnerability, this time allowing hackers to gain unauthorised access to user’s accounts without their login details.

In a blog post by Checkpoint, researchers discovered that flaws in the Epic Games account login page, could be exploited by attackers, to perform a malicious redirection to an attacker controlled Epic Games sub-domain, allowing them to capture the authentication token required to access a user’s account.

Checkpoint identified that the sub-domain ‘’, a legacy service used by the classic game Unreal Tournament, was vulnerable to old school Cross Site Scripting (XSS) and SQL injection attacks. By exploiting these vulnerabilities, Checkpoint planted a JavaScript on the ut2004stats server, which was responsible for resending and capturing token requests.

This was tested using Fortnite’s Facebook login, but it is understood that any of the authentication providers (Google, PlayStation, X-Box etc.) would have been impacted too.

By simply sending a message to a user that contains a link promising free game credits (v-bucks), victims are enticed to click the link which results in the authentication token being captured, without the need for login details to be entered.

Once captured the attacker will have full access to the users account and all the personal information contained within it. This includes the ability to make huge in game purchases using the credit card information attached to the account. By gifting these purchases to another hacker-controlled account they can be sold on to other users to make real world cash, thus helping to fund further cyber criminals activities.

Checkpoint have confirmed that they disclosed the vulns to Epic Games prior to going public, and they have since patched and resolved all issues.

We recommend:

  • Being on the lookout for Fortnite scams, this is not the first and won’t be the last.
  • Never click on links that promise free goods, skins and credits (v-bucks), even those sent from friends.
  • Enable two factor authentication, to ensure reauthentication from any new devices trying to access your accounts.

For a more technical breakdown of the attack please the Checkpoint Research Site.

Pre-Valentine’s Love Letters deliver Malware

It’s not even February yet, and we are already seeing Valentines cards in the local shops and Love letter Malspam in our email. A huge malware spam campaign dubbed ‘Love Letter’ has been found in the wild and is delivering more than just the usual romantic terms of endearment.

The Love Letter campaign sends out romantically titled emails containing malicious ZIP file attachments, which when opened includes a JavaScript file that infects the victim’s machine with not so loving malware.  Distributed by this campaign is malware such as GandCrab ransomware and XMRig crypto coin miners.

On top of these infections, researchers also found that an infected host became a node in the Phorpiex Spambot, which is then used to increase the spread of this malspam campaign.

Look out for emails that are sent from the following addresses or contain the following subjects and never open attachments from unknown or untrusted sources.

  • From: Teddy Bailey <Teddy31@8038[.]com>
  • From: Imogene Carter <Imogene99@0354[.]com>
  • From: Imelda Jones <Imelda31@1529[.]com>
  • From: Ted Hall <Ted93@4302[.]com>
  • From: Deanne Harris <Deanne11@5387[.]com>
  • Subject: Always thinking about you
  • Subject: Felt in love with you!
  • Subject: I love you
  • Subject: Just for you!
  • Subject: My letter just for you
  • Subject: My love letter for you
  • Subject: Wrote this letter for you
  • Subject: : D

A technical breakdown can be found on the SANS ISC Diary pages.

Collection #1 Data Breach

Troy Hunt’s Have I Been Pwnd Service has been hard at work this week, informing users that have been impacted by the latest data breach, Collection #1.

Collection #1 is being used as a credential stuffing list, which basically means it contains a huge amount of email address and password data that has been collected from multiple different data breaches, that hackers can then use to automatically try and break into user’s accounts.

Troy reports that this is the single largest breach he has loaded into HIBP. In terms of numbers it includes a total of 2.69 billion credentials; 1.16 billion unique combinations of email address and password; nearly 773 million unique email addresses and 21 million unique passwords.

Importantly Collection #1 contains approximately 140 million new email addresses not previously listed in HIBP.

To find out if your details are included in the Collection #1 breach, access and enter your email address.

Attackers use Credential stuffing lists to prey on the fact that victims will have reused their email addresses and passwords on multiple sites, so stay safe by adopting password best practices. Use unique complex passwords every time and do not reuse the same password twice.

If remembering your passwords is becoming a challenge, then give a password manager a try, there are a few to choose from, such as 1Password or LastPass.

Running a TP-Link VPN Router? Then it’s Time to Patch

Small to Medium business and home office users running TP-Link VPN Router devices, are recommended to update their device firmware, after multiple vulnerabilities were disclosed to the manufacturer by Cisco Talos.

These vulns, which include critical remote code execution and denial of service flaws, specifically affect the TP-Link TL-R600VPN gigabit broadband VPN Router product, using firmware versions 1.2.3 and 1.3.0.

It is the HTTP server component of the router that is vulnerable to exploit. This allows malicious actors to crash the device HTTP server, as well as running malicious code on the router, that not only compromises the device, but can also lead to further network and data compromise. We have seen evidence of this in the last year with the VPNFilter malware that infected over 500,000 devices worldwide.

Keeping up with the latest security patches is critical for businesses large and small, to defend against cyber threats, and while businesses may ensure that PCs and Servers are updated regularly, devices such as internet routers, network switches and IOT devices, are often forgotten about. Make sure that you include these types of devices when reviewing and deploying your regular updates.

For a deep dive breakdown of the vulnerabilities mentioned here see the blog post on

HMRC Tax Refund Phishing Emails

To close out this weeks round-up we just want to remind readers of the increased level of tax scams and phishing campaigns that are in circulation at the moment. We are in the middle of the Self-Assessment peak for HMRC where all UK tax payers are required to submit and pay their tax self-assessments by January 31st, which makes it a prime time for criminals to benefit from their scams.

These scams generally come in the form of genuine looking phishing emails, but more commonly we are seeing cold calling used as the delivery method. The aim of these scams is to steal your personal information and identity but can also lead to stealing money from your bank accounts.

Below is a typical example of a tax refund scam email we have dealt with this week.

Tax scam email

Some key things to look out for:

  • The sender states it’s from but the actual address is something very different.
  • In this email there is no HMRC logos etc. this may not always be the case though, actors also use official logos to make the emails look more convincing.
  • The link contained to login and collect your refund does not take you to a HMRC website. By simply hovering over the link you can check where its going to send you. Never just click on links in emails.
  • Although HMRC do contact taxpayers by email they will always include your unique taxpayer reference number in any contact with you, and they are no longer including links in there official emails.

For guidance on how to recognise real HMRC contact please see the official website.

As always, remain aware and stay safe online.

And that’s it for this week, please don’t forget to tune in for our next instalment.

Sign Up

To keep up to date with our news and posts why not join our mailing list by using the link to subscribe:

You can also follow us using the social media links provided.

If your business needs to improve its security, kick-start your Cyber plans with our Free Cyber Assessment:


Ironshare – Security Simplified


Edition #25 – 18th January 2019