Runescape phish claims your email has been changed

Runescape phish claims your email has been changed

A Runescape-themed missive landed in our email inbox today, claiming action is required to secure our account.

The malicious email and the scam behind it are perfect examples of one of the more reliable tactics in the world of phishing—fooling a victim into thinking they need to take some action as part of a larger, ongoing process. With this tactic, phishing email recipients could ask themselves: Is this a mis-sent mail? Should I jump in halfway through whatever’s being proposed and course correct? Will I be sent additional worrying emails if I don’t?

As bait, it’s perfect.

The scam

This email is being fired out to random addresses; it’s not a targeted attack. The phisher is simply hoping that of all the recipients, a few have an account with the service they’re imitating. In this case, the mail is spoofing players of Runescape, the popular free MMORPG title from Jagex. It reads as follows:

“Your email address has been changed”

YOUR EMAIL ADDRESS
HAS BEEN CHANGED

You have successfully changed the registered email address for your RuneScape and Old School RuneScape account.

Your account log-in details remain unchanged but your registered email address for all future password resets will be: [email removed]

To cancel this change, please click on the button below.

CANCEL CHANGE

Button not working for you? Copy the URL below into your browser:

Recipients may panic that their address has been accidentally added to someone else’s account and want to fix it as soon as possible. Alternatively, they may actually havea Runescape account and worry at the sight of seeing an unfamiliar email address as the “new” address for the account. Either way, people will click the link to see what this is all about.

The scam site

The site claims to be Old School Runescape, making use of a URL similar to the real thing. It asks visitors for a variety of data. First up is email / username and password.

Bogus login request

Secondly, it asks for the visitor’s authenticator code. Lastly, the site asks for their bank PIN.

In Runescape, the “bank” is where the player stores their items. Someone with access to all of this can perform a fairly comprehensive clean-out of the victim’s account.

Discordant behaviour

The manner of sending the victim’s information is quite interesting. Looking at the code on the final submission page reveals the following reference to Discord:

Discord Webhooks

This is a technique where JavaScript is used to send automated messages to Bots in Discord channels via Webhooks. The email, password, authenticator code, and bank PIN will in theory all be posted to whichever channel the Bot resides. From there, people may be sitting waiting for new messages to pop up and then steal the account manually before the authentication codes expire.

Avoiding Runescape phishing attempts

Runescape has plentiful support guides to help steer players away from harm. A list of the most popular scam attempts can be found on their forum. Note that “Your email address has been changed” is listed, along with the following explainer:

Note how a phishing email says the change will be made unless you click something. If someone tries to change your email, Jagex will send an email to confirm the change before any changes are made. No changes are made if you don’t confirm it.

There’s also a dedicated phishing report centre, and several support articles which cover:

For a more detailed dive into phishing and tips for avoiding all manner of phish attack techniques, read our in-depth guide.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.