Captain America arrived on Fortnite in time for the 4th of July celebration. This announcement was big news to the gaming community, with search terms such as “fortnite captain america skin” and “fortnite captain america” significantly rising in popularity on Google in the past week. The update also required hours of server downtime to make way for maintenance.

Days before the scheduled downtime and update, our typosquatting data feed detected dozens of domain names closely related to Fortnite. That is consistent with how domain registration behavior reflects newsworthy events. We take a closer look in this post, notably by running a host to IP and DNS analysis.

WHOIS Data Comparison: Fortnite-Inspired Domains versus Epic Games Domain

The Typosquatting Data Feed picked up close to 50 domain names related to Fortnite on 1 July 2020, the same day they appeared in the Domain Name System (DNS). Here are a few of them:

• fortniteformodle[.]com
• fortniteformobi[.]com
• fortniteformpbile[.]com
• fortnitefreemobile[.]com

It is interesting to note that Fortnite does not have a dedicated website. Instead, Epic Games, its creator, only hosts a web page for the game and all other games the company created.

The domain registrations could be part of Epic Games’s typosquatting protection strategy. Yet the differences in the WHOIS records of Epic Games’s official website and the potential typosquatting domains might indicate otherwise.

WHOIS Records of Lookalike Domains

Using a bulk WHOIS lookup, we found that each of the 50 potential typosquatting domains shares the same privacy protection service, nameserver, registrar, and address.

• Registrar name: Tucows, Inc.
• Nameservers: ns15[.]above[.]com and ns16[.]above[.]com
• Creation date: 30 June 2020
• Registrant name and organization: Contact Privacy Inc.
• Registrant address: 96 Mowat Ave, Toronto, Canada

WHOIS Records of the Epic Games Official Domain

All of the details cited above differ from those in the WHOIS record of epicgames[.]com. Epic Games’s domain was created in 1995 and registered with the organization name “Epic Games, Inc.” with an address in North Carolina, U.S.

A DNS lookup revealed that the domain resolves to these IP addresses (at the time of writing):

• 52[.]23[.]121[.]216
• 52[.]0[.]226[.]220
• 3[.]94[.]26[.]26
• 52[.]87[.]65[.]189
• 107[.]23[.]187[.]0
• 54[.]86[.]164[.]3
• 54[.]88[.]3[.]65
• 52[.]200[.]193[.]112

According to IP Geolocation API, these IP addresses belonged to Amazon with Autonomous System number (ASN) 14618.

The domain also uses the nameserver “ns-1094[.]awsdns-08[.]org.”

A Deeper Host to IP and DNS Analysis of the Fortnite Lookalike Domains

A DNS lookup revealed that several of the likely typosquatting domains share the IP addresses 70[.]32[.]1[.]32 and 170[.]178[.]168[.]203 (again, at the time of writing).

An IP geolocation lookup, on the other hand, indicates that 170[.]178[.]168[.]203 is a U.S.-based IP address with ASN 46844 owned by Sharktech. Among the domains associated with the IP address are what look to be adult sites, as shown in the latter half of this screenshot:

On the other hand, 70[.]32[.]1[.]32 is also a U.S.-based IP address, but GigeNET owns it with ASN 32181. It’s interesting to note that the IP address is also associated with one of the adult sites. Other associated domains are shown below as well.

What’s more, our threat intelligence data and VirusTotal warned that both IP addresses could carry malware. The Fortnite lookalike domains may therefore be dangerous and possibly used by threat actors to, for example, lure gamers into clicking a link to a malware-laden page.

The slew of domain names inspired by Fortnite could be an attempt to maliciously get into the gamers’ network. By detecting typosquatting domains early, Epic Games and other video game creators could help protect their users from cybercrime.