How does a phishing website work?

Phishing emails, we all know them. The emails that seem legit, but there is something phishy going on. The goal of phishing emails is to steal information from you, such as login credentials. The phisher can use these to log into your accounts to steal money, for example. Some of you may have seen those phishing emails but were vigilant enough to not click on them. However, there are tons of people who fall victim to those well-crafted phishing emails and click on the link. In addition, some of them fill in their credentials on the phishing website and give the attacker valuable information. Today, I’ll show how such a phishing site works and what tricks they use to deceive you.

Old wounds

I picked a phishing site that has a personal touch. A Runescape phishing website. For people unfamiliar with Runescape, it is a massive multiplayer online roleplaying game (MMORPG) that you can play in a browser. It was released in 2001 and became popular. In Runescape, you can make money by farming resources and trading them for more valuable items or currency. The first time I was scammed online, was when playing Runescape when a player tricked me into trading a valuable item for very little currency. It was a sad day, but I learned a valuable life lesson, when something looks too good to be true, it probably is.

Another way people have wanted to make in-game Runescape money was by hacking other players’ accounts. For example, by luring them to a fake Runescape website with freebies, where they need to log in by using their credentials. Such as the website we’ll be looking at in this article.

hXXps://services[.]runescape.com-en[.]ru/m=forum/forums[.]ws449,495,917,35418172,1124

The link tries to fool you by having “services.runescape” in it, while the actual domain of the website is “com-en[.]ru”. Using “com-en” as a domain is smart because most websites end with .com and most of the time have “en” in the link because it stands for the English version of the website.

Luckily, modern browsers such as Firefox highlight the domain name of the link you are visiting. This makes it easier for you to verify if the website you are visiting, is the website you were intending to visit. You can glance over the browser bar to quickly learn if the website you are visiting is not a scam.

In the first picture below you see the phishing website, the picture under it is a forum post on the official Runescape forum. They are nearly identical in looks.

On the phishing website, a post is displayed by a Twitch streamer named Sparc Mac. Sparc Mac has an average of 1416 viewers when he streams playing Runescape.

Sparc Mac is a known figure in the Runescape community, a reputation the phisher tries to use to lure a player into giving up their credentials. The fake post contains the following text:

Post your Runescape names on this thread. Giveaway will be hosted in the next 15 minutes. The purpose of this is because of Corona Virus, people need somebody to make their day, so I’m here for you guys.

  • Sparc Mac

In addition to using the reputation, the phisher tries to create a sense of urgency by communicating that the giveaway will be hosted in the next 15 minutes (!!!), so you’ll have to be quick with replying to this post, otherwise, you won’t receive any valuable freebies. Funny thing is that there is no time and date on the post. Besides all of this, he also uses world events such as COVID-19 to add legitimacy to this giveaway claim, because hey, this fake Sparc Mac is a good guy that gives away free stuff during a pandemic.

So imagine you are a Runescape player that can receive some free currency or valuable item by just replying to this thread. You scroll down to the bottom of the site where a text field exists. You fill in your gametag and hit post.

You’ll get redirected to a Runescape login page. Again, nearly identical to the official Runescape login page.

Again, imagine you want those freebies. You’ll rush to fill in your account information.

In Firefox I opened the web developer tools to see what happens when I click on submit.

The phishing website is now asking to verify my Runescape bank pin. This pin is used to access your in-game bank account where all your valuable items and currency are stashed.

In the web developer tool, there is a tab called network. In this tab, all network traffic is shown. The first row shows network traffic that uses the POST method. This means the account credentials I typed in, get sent to the phishing website.

As can be seen under location. In my web developer tool, I can go to the tab Params, which will show the data I send to the web server.

This means that the phisher now retrieved your account credentials. However, this is not where this story ends. There is some more information the phisher needs to steal all your in-game items. That is your in-game bank pin.

Your 15 minutes are almost up. You need to be quick to win those freebies! You fill in your pin: 1337.

When you hit the last number of your pin, you can see on the right side that your pin is also being sent to the phishing website. However, the phisher needs one more piece of information that ensures his ability to compromise your beloved Runescape account, and that is your authenticator token. This is only needed when you have set up a Multi-Factor Authentication (MFA) on your account, which means you have to provide your account credentials and a temporary token. To learn more about MFA please click here.

You really want those freebies. You fill in your token: 130015.

An interesting note here is that the token is already sent to the website, even though you did not click on continue just yet. This is another trick phishers use, everything you type on their website will automatically be sent to their server. Even though you may not have filled in your full password and stopped when you realized this was a phishing website, they still gathered some information that they can use to guess the full password.

After clicking on continue, you get redirected to the official Runescape website. More specifically, you get redirected to a forum search page. Weird, you thought you were to be redirected to the post of Sparc Mac to claim your free price? Probably, somewhere around now you start to realize that you may have given your precious Runescape account to a phisher. Oh well, now we all have a story that involves losing precious Runescape items. Lets say it creates character.

What can you do to be more secure?

So what are the takeaways you can use to not fall for a phishing website?

  1. Look at the browser to verify if you are on the correct website
  2. If something on a website looks slightly different from what you are used to, check the domain name of the website you are visiting
  3. If the offer looks too good to be true, it probably is
  4. If you are still in doubt about the legitimacy of the website you are visiting, you can go to VirusTotal and fill in the link

I hope this post gave you some insight into how a phishing website works. Be aware of phishing efforts, be vigilant, and stay secure!