This Runescape phishing scam could leave you seriously out of pocket

Two male characters in armor fighting each other
(Image credit: Jagex)

Naive Runescape players are being targeted by a dangerous phishing scam that targets their in-game valuables..

Cybersecurity researchers from Malwarebytes have spotted a brand new phishing campaign that starts with an email to Runescape players, pretending to be from Jagex support, the company that built, and maintains the game.

In the email, the victim is warned that the email address associated with the account was changed.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Stealing virtual belongings

The email also says that while the username and the password for the game haven’t been changed (this is essential, we’ll get back to this a bit later), the change of the email means that any future changes to the credentials will go to the new address. 

Further down in the email, the victims are provided with a button and a link, via which they can cancel the change. At the provided address, they’ll find a phishing site that looks almost identical to the legitimate Runescape login site, and whose domain is as close to the legit portal as it can be.

There, they can log in using their credentials (which haven’t been changed, remember?). Once they try to log in, the data is automatically sent to a Discord channel owned by the crooks. 

But that’s not all. The attackers have also come up with an “additional security measure”. After entering the login credentials, the users are also required to enter their in-game bank PIN number. And that’s where the real pain starts.

Runescape is a massively multiplayer online role-playing game, more than two decades old, and free to play. In it, players can obtain rare items, either through hard grinding, or through purchases - using real cash. They can store these valuables in their in-game bank, and even though it might sound silly to some, these accounts can grow to thousands of dollars in value.

If the attackers get their hands on the login credentials, and the in-game bank PIN, they can easily log into the account from their endpoint, transfer these valuables to another account, where they can sell them to a third party for real cash.

As usual, users are warned to always be wary of any incoming emails, especially those carrying links and attachments. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Smartphone with new logo X twitter app background. Application twitter old blue bird change X black and white new.
Phishing campaign targets prominent X users, accounts at risk
Steam scam alert.
Watch out, this convincing Steam scam could risk your entire game library
Fraude en ligne phishing
Google forced to step up phishing defenses following ‘most sophisticated attack’ it has ever seen
Paper craft illustration of a suspicious email that contains a snake
How to spot a phishing email
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Ray-Ban smart glasses with the Cpperni logo, an LED array, and a MacBook Air with M4 next to ecah other.
ICYMI: the week's 7 biggest tech stories from Twitter's massive outage to iRobot's impressive new Roombas
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight