Epic Games Ignored Epic Subdomain Takeover on their Authentication Domain, Promoted $1 Million Bounty to Address User Complaints

A global hacking group took over Epic Games subdomains, then the problem was swept under the rug by Epic Games.

At the end of March, 2020, Epic Games posted on their Twitter account a $1 million bounty for anyone to provide information of any corporate astroturfing spreading rumors about Epic Games, particularly with regard to Epic Games’ House Party users complaining about being hacked.

Above, you’ll notice that Miami.edu was amongst the domains that previously hosted poisonPDF malware from this attacker group — their content previously hosted on pages like this Google cached copy @ http://webcache.googleusercontent.com/search?q=cache:Fn07uKMOxoQJ:info-online.miami.edu/differential-equations-and-linear-algebra-2nd-edition-solutions.pdf+&cd=13&hl=en&ct=clnk&gl=us
Malicious landing page from @ (WARNING:https://readisthe(.)best/downloads/roberts-rules-or-order-11th-edition)
Malicious signup from @ (WARNING: https://my-ebooks(.)club/books/signup-spry/#/z=FewwkXjXsa2CjiD25Fqnsh/theme=default/q=Roberts+Rules+Or+Order+11th+Edition/s1=/s2=/s3=/s4=/s5=/source_id=443ed029-2269-503a-ee44-3a36418e5189/project=yYMfRn/mh_offer_id=/dp=36WOjCfD8VJfXttshhErUe/m=/c_bg=/c_img1=/c_img2=/c_color=/source=Referral/software=Browser/domain=cdn.bkc1a(.)club/)

Criminal Group Running Redirection Scams and Domain/Subdomain Takeovers Hit Epic Games House Party Subdomains, Epic Games Downplays User Risk with Technical Incompetence

As mentioned above, a wide range of subdomains were hijacked on “TheHousePartyApp.com” — which is owned by Epic Games.

Epic Games was even told the name of the attackers, a link to a news article about the attackers, and details about these phishing / credit card attacks that have gone on for years

I’ve named the attackers who commit this work the “Pickaflick.com Crew” due to the fact that they have been operating various credit card scams for a decade or more (and were basically named this in the past) — you can see their legacy “PickaFlick.com” website @ http://web.archive.org/web/20140121175615/http://pickaflick.com/

Some of these domains have fixed their redirection SPAM from the PickaFlick crew, but many haven’t…

Architecture of Credit Card and Phishing Fraud

Custom PHP malware for special domains from PickaFlick crew

PickaFlick.com Complaints in BBB, News Coverage Prove Multi-Year Campaigns

The Better Business Bureau has a webpage for PickaFlick that includes complaints from 2017 and 2019 with users complaining about very small fraudulent credit card charges and the company requesting copies of credit card and debit card statements to get charges removed:

Were the Epic Games House Party Users Hijacked? Ubiquiti Inc Hackerone Ticket shows risk of subdomain auth takeovers.

As part of my efforts to explain to Epic Games the risks of an auth subdomain takeover by the PickaFlick crew, I shared a public ticket showing how a security researcher hijacked an Ubiquiti subdomain and explained how it could be used to attack users…

Conclusion:

Credit card fraud is complicated, so is phishing user credentials through authentication-based-session attacks and PHP redirects.

Founded/Co-founded 6 companies (🎞,☎️,🔌,📊,👨‍🏫,🐔), digital team for Obama 08’ + numerous other campaigns, motto = Research. Build. Test. Repeat. // whitehat

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store