Resource item

RuneScape Phishing Steals In-Game Item Bank Accounts and PINs

Cybersecurity researchers have discovered a new RuneScape-themed phishing campaign, and it stands out among the various operations for being exceptionally well-designed.

RuneScape is a free-to-play online MMORPG game first released two decades ago, but continues to be popular in the gaming community and enjoyed by millions of gamers.

Its “Old School” edition has seen a steady increase in active players for many years and a massive spike in 2019 when the developers released a mobile version.

The latest phishing campaign, spotted by Malwarebytes, attempts to target Old School and Standard Edition (RuneScape 3) players via a fake email change notice.

It starts with an email

The initial email claims to be from Jagex Support, the developer and publisher of the RuneScape series, notifying the recipient of a successful email change for both editions.

The message claims that all login information remains unchanged, but the registered email address for all future password resets has been replaced with a fake address.

Phishing email sent to RuneScape users
Phishing email sent to RuneScape users (Malwarebytes)

Recipients who disapprove of this change are asked to click the “CANCEL CHANGE” button, which is embedded in the body of the email. Alternatively, if the button doesn’t work, the crooks provide a URL that victims can manually copy and paste into their browser.

In both cases, the victim is directed to a phishing site with a domain name close to the genuine portal and uses legitimate artwork and styling to make it appear genuine.

This fake login prompts users to enter their login credentials to undo the change of email addresses associated with the account.

The phishing site that steals player credentials
The phishing site that steals player credentials (Malwarebytes)

Since the account credentials have not changed, the victims enter them on the phishing site. Upon doing so, a second webpage loads, asking the victim to provide their RuneScape in-game banking PIN.

Web page asking for victim's bank PIN
Web page asking for victim’s bank PIN
​​​​​(Malwarebytes)

Banks in RuneScape are caches of virtual game items that players build by paying real money or spending many hours collecting rare in-game items.

By giving their bank PIN and account credentials, victimized gamers give full access to all the items they have collected to phishing scammers, who can then transfer the items or take over the accounts and sell them to interested people.

Abusing Discord to steal accounts

According to Malwarebytes, the JavaScript code running on the fake login page sends the stolen data to attackers via a Discord Webhook, which posts it to a channel under the attacker’s control.

Presence of the Discord reference in the code
Presence of the Discord reference in the code (Malwarebytes)

There, threat actors could sit and wait for new messages to arrive and act quickly to take control of their victims’ accounts before passcodes expire.

Today, Cyble published a report on a new version of the information-stealing malware Hazard Token Grabber, which also exfiltrates stolen data to Discord channels using webhooks.

Misuse of Discord Webhooks has been rampant ever since malware operators discovered its potential. The platform told Bleeping Computer that it was actively detecting and blocking this activity some time ago, but the volume of malicious operations is obviously far too high to contain.

How to stay safe

If you are a RuneScape player and are concerned about your account security, note that Jagex Support will never change your email address until you confirm the action. All these “surprise” e-mails are therefore phishing.

The game also maintains a phishing report center on the forums to help protect players from these scam attempts, so be sure to submit suspicious messages there.

Finally, never click on buttons embedded in the body of the email. If you receive an email with complaints about your account, manually visit the game’s official website and log in from there to check the alerts.