A new RuneScape-themed phishing effort has been found by security experts, and it sticks out among the others for being unusually well-crafted. RuneScape is a free online massively multiplayer online role-playing (MMORPG) game initially launched two decades ago and is still played by millions of people.
For many years, the “Old School” edition had witnessed gradual growth in active players, with a significant jump in 2019 when the makers published a mobile version. Malwarebytes has discovered a new phishing effort that uses a phony email change notification to target gamers of both the Old School and standard (RuneScape 3) versions.
The first email seems to originate from Jagex support, the creator and publisher of the RuneScape franchise and informs the recipient of a successful email change for both editions. The message indicates that all login information is still valid, but the registered email address for any future password resets has been changed to a fake address.
Recipients who do not agree with the change should click the “CANCEL CHANGE” button in the email body. If the button doesn’t function, the fraudsters will supply a URL for victims to manually copy and paste into their browser. In both circumstances, the victim is sent to a phishing site with a domain name similar to the official gateway that employs legitimate artwork and style to look genuine.
This fraudulent login encourages users to input their login credentials in order to cancel the account’s change of email addresses. The victims input their account credentials on the phishing site since they haven’t changed. After then, a second webpage appears, requesting the victim’s RuneScape in-game bank PIN.
Banks are virtual game item stashes that players establish by paying real money or spending a lot of time gathering rare in-game goods in RuneScape. Victimized gamers offer phishing crooks complete access to all products they gathered by handing away their bank PIN and account information. Phishing crooks may then transfer the items or take over the accounts and sell them to interested persons.
Malwarebytes discloses that JavaScript code on the phony login page transfers the stolen data to the attackers via a Discord Webhook, which broadcasts it to a channel controlled by the attacker. Threat actors might be waiting for new communications to come there, then moving rapidly to take control of their victims’ accounts before the authentication codes expire.
Recently, Cyble released a report on a new version of the data-stealer software Hazard Token Grabber, which additionally uses webhooks to exfiltrate stolen data to Discord channels. Discord Since malware operators recognized the possibilities of webhooks, abuse has been prevalent. The platform previously said that it is aggressively identifying and stopping this behavior, but the volume of malicious actions is too large for them to handle.
If you’re concerned about the security of your RuneScape account, keep in mind that Jagex support will never change your email address unless you confirm the change. Therefore, all of those “surprise” emails are phishing. The game also maintains a phishing report center on the forums to keep players safe from these fraud campaigns. So, make sure to report suspicious messages there.
Finally, never click on the email body’s embedded buttons. If you receive an email claiming your account has been compromised, go to the game’s official website and log in manually to examine any notifications.
