This Runescape phishing scam could leave you seriously out of pocket

News
By published

Runescape players targeted for their valuables

Two male characters in armor fighting each other
(Image credit: Jagex)

Naive Runescape players are being targeted by a dangerous phishing scam that targets their in-game valuables..

Cybersecurity researchers from Malwarebytes have spotted a brand new phishing campaign that starts with an email to Runescape players, pretending to be from Jagex support, the company that built, and maintains the game.

In the email, the victim is warned that the email address associated with the account was changed.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Stealing virtual belongings

The email also says that while the username and the password for the game haven’t been changed (this is essential, we’ll get back to this a bit later), the change of the email means that any future changes to the credentials will go to the new address. 

Further down in the email, the victims are provided with a button and a link, via which they can cancel the change. At the provided address, they’ll find a phishing site that looks almost identical to the legitimate Runescape login site, and whose domain is as close to the legit portal as it can be.

There, they can log in using their credentials (which haven’t been changed, remember?). Once they try to log in, the data is automatically sent to a Discord channel owned by the crooks. 

Read more

> Phishing attacks hit more businesses than ever last year

> These companies are the most impersonated in email phishing campaigns

> LinkedIn is becoming a paradise for phishing attacks

But that’s not all. The attackers have also come up with an “additional security measure”. After entering the login credentials, the users are also required to enter their in-game bank PIN number. And that’s where the real pain starts.

Runescape is a massively multiplayer online role-playing game, more than two decades old, and free to play. In it, players can obtain rare items, either through hard grinding, or through purchases - using real cash. They can store these valuables in their in-game bank, and even though it might sound silly to some, these accounts can grow to thousands of dollars in value.

If the attackers get their hands on the login credentials, and the in-game bank PIN, they can easily log into the account from their endpoint, transfer these valuables to another account, where they can sell them to a third party for real cash.

As usual, users are warned to always be wary of any incoming emails, especially those carrying links and attachments. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Smartphone with new logo X twitter app background. Application twitter old blue bird change X black and white new.
Phishing campaign targets prominent X users, accounts at risk
Steam scam alert.
Watch out, this convincing Steam scam could risk your entire game library
Fraude en ligne phishing
Google forced to step up phishing defenses following ‘most sophisticated attack’ it has ever seen
Paper craft illustration of a suspicious email that contains a snake
How to spot a phishing email
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Latest in Security
DeepSeek on a mobile phone
More US government departments ban controversial AI model DeepSeek
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
NordProtect logo
Standalone identity theft protection from Nord Security is now available
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
Ofcom cracks down on UK tech firms, will issue sanctions for illegal content
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
These fake GitHub "security alerts" could actually let hackers hijack your account
3d rendering of a submarine power cable on the seabed
Subsea internet cables can now ‘listen’ for sabotage using irregular pulses of light
Latest in News
an image of the Samsung Galaxy S24 Ultra
Finally! One UI 7 has a release date - here are the Samsung phones that’ll get it first
Google Cloud logo
Google to acquire cloud security platform Wiz in $32 billion deal
GIMP 3.0 interface from the website
Our favorite free photo editor finally got the update it deserves - and these are the top 5 features designers should know about
A still from a promo image for the second season of Severance showing the character Mark holding blue balloons in a hallway
Macrodata Refiners rejoice, Google has rewarded us with a virtual balloon party ahead of the Severance season 2 finale
DeepSeek on a mobile phone
More US government departments ban controversial AI model DeepSeek
FCC filing for the Nothing CMF Buds 2 Plus
Nothing’s next-gen CMF cheap earbuds slated to arrive within the month, but don’t expect hi-res audio support
More about security
Trojan

Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system

These fake GitHub "security alerts" could actually let hackers hijack your account
DeepSeek on a mobile phone

More US government departments ban controversial AI model DeepSeek
See more latest
Most Popular
DeepSeek on a mobile phone
More US government departments ban controversial AI model DeepSeek
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
A still from a promo image for the second season of Severance showing the character Mark holding blue balloons in a hallway
Macrodata Refiners rejoice, Google has rewarded us with a virtual balloon party ahead of the Severance season 2 finale
an image of the Samsung Galaxy S24 Ultra
Finally! One UI 7 has a release date - here are the Samsung phones that’ll get it first
GIMP 3.0 interface from the website
Our favorite free photo editor finally got the update it deserves - and these are the top 5 features designers should know about
Google Cloud logo
Google to acquire cloud security platform Wiz in $32 billion deal
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
These fake GitHub "security alerts" could actually let hackers hijack your account
MOZA sim accessories
The cutting-edge controllers that'll make your sim feel incredibly real
FCC filing for the Nothing CMF Buds 2 Plus
Nothing’s next-gen CMF cheap earbuds slated to arrive within the month, but don’t expect hi-res audio support
AMD RX 9070 GPU models
We won't be seeing any Radeon RX 9000 series GPUs from MSI - AMD prioritizes other board partners instead