6 minute read

Phishing mails, we all know them. The mails that seem legit, but there is something phishy going on. The goal of a phishing mails is to steal information from you, such as login credentials. The phisher can use these to log into your accounts to steal money, for example. Some of you may have seen those phishing mails but where vigilant enough to not click on them. However, there are tons of people who fall victim to those well-crafted phishing mails and click on the link. In addition, some of them fill in their credentials on the phishing website and give the attacker valuable information. Today, I’ll show how such a phishing site works and what tricks they use to deceive you.

Old wounds

I picked a phishing site that has a personal touch. A Runescape phishing website. For the people unfamiliar with Runescape, it is an massive multiplayer online roleplaying game (MMORPG) which you can play in a browser. It released in 2001 and became really popular. In Runescape you can make money by farming resources and trading them for more valuable items or currency. The first time I was scammed online, was when playing Runescape, when a player tricked me in trading a valuable item for very little currency. It was a sad day, but I learned a valuable life lesson, when something looks too good to be true, it probably is.

Another way people have wanted to make in-game Runescape money was by hacking other players’ account. For example, by luring them to a fake Runescape website with freebies, where they need to login by using their credentials. Such as the website we’ll be looking at in this article.

hXXps://services[.]runescape.com-en[.]ru/m=forum/forums[.]ws449,495,917,35418172,1124

The link tries to fool you by having “services.runescape” in it, while the actual domain of the website is “com-en[.]ru”. Using “com-en” as domain is smart, because most websites end with .com and most of the time have “en” in the link because it stands for the English version of the website.

Figure 01. Your browser highlights the domain name of the website you are visiting
Figure 01. Your browser highlights the domain name of the website you are visiting

Luckily, modern browsers such as Firefox highlight the domain name of the link you are visiting. This makes it easier for you to verify if the website you are visiting, is the website you were intending to visit. You can glance over the browser bar to quickly learn if the website you are visiting is not a scam.

In the first picture below you see the phishing website, the picture under it is a forum post on the official Runescape forum. They are nearly identical in looks.

Figure 02. The phishing website
Figure 02. The phishing website
Figure 03. A post on the official Runescape forum
Figure 03. A post on the official Runescape forum

On the phishing website a post is displayed by a Twitch streamer named Sparc Mac. Sparc Mac has an average of 1416 viewers when he streams playing Runescape.

Figure 04. SparcMac Twitch statistics
Figure 04. SparcMac Twitch statistics

Sparc Mac is a know figure in the Runescape community, a reputation the phisher tries to use to lure a player into giving up their credentials. The fake post contains the following text:

Post your Runescape names on this thread. Giveaway will be hosted in the next 15 minutes. The purpose of this is because of Corona Virus, people need somebody to make their day, so I’m here for you guys.

  • Sparc Mac

In addition to using the reputation, the phisher tries to create a sense of urgency by communicating that the giveaway will be hosted in the next 15 minutes (!!!), so you’ll have to be quick with replying on this post, otherwise you won’t receive any valuable freebies. Funny thing is that there is no time and date on the post. Besides all of this, he also uses world events such as COVID-19 to add legitimacy to this giveaway claim, because hey, this fake Sparc Mac is a good guy that gives away free stuff during a pandemic.

So imagine you are a Runescape player that can receive some free currency or valuable item by just replying to this thread. You scroll down to the bottom of the site where a text field exists. You fill in your gametag and hit post.

Figure 05. You have a great account name
Figure 05. You have a great account name

You’ll get redirected to a Runescape login page. Again, nearly identical to the official Runescape login page.

Figure 06. The login screen of the phishing website, which looks identical to the official Runescape login screen
Figure 06. The login screen of the phishing website, which looks identical to the official Runescape login screen

Again, imagine you want those freebies. You’ll rush to fill in your account information.

Figure 07. You filled in your account credentials
Figure 07. You filled in your account credentials

In Firefox I opened the web developer tools to see what happens when I click on submit.

Figure 08. You only have to fill in your pin
Figure 08. You only have to fill in your pin

The phishing website is now asking to verify my Runescape bank pin. This pin is used to access your in-game bank account where all your valuable items and currency is stashed.

In the web developer tool, there is a tab called network. In this tab all network traffic is shown. The first row show network traffic which uses the POST method. This means the account credentials I typed in, gets send to the phishing website.

As can be seen under location. In my web developer tool, I can go to the tab Params, which will show the data I send to the web server.

Figure 09. Your credentials are sent to the server
Figure 09. Your credentials are sent to the server

This means that the phisher now retrieved your account credentials. However, this is not where this story ends. There is some more information the phisher needs to steal all your in-game items. That is your in-game bank pin.

Figure 10. The pin screen
Figure 10. The pin screen

Your 15 minutes are almost up. You need to be quick to win those freebies! You fill in your pin: 1337.

Figure 11. The last bit of information the phisher needs to hack your account
Figure 11. The last bit of information the phisher needs to hack your account

When you hit the last number of your pin, you can see on the right side that your pin is also being send to the phishing website. However, the phisher need one more piece of information that ensures his ability to compromise your beloved Runescape account, and that is your authenticator token. This is only needed, when you have setup a Multi-Factor Authentication (MFA) on your account, which means you have to provide your account credentials and a temporary token. To learn more about MFA please click here.

You really want those freebies. You fill in your token: 130015.

Figure 12. You fill in your authentication token
Figure 12. You fill in your authentication token

Interesting note here, is that the token is already sent to the website, even though you did not click on continue just yet. This is another trick phishers use, everything you type on their website will automatically be send to their server. Even though you may not have filled in your full password and stopped when you realized this was a phishing website, they still gathered some information which they can use to guess the full password.

Figure 13. After hitting submit you get redirected to the official Runescape website
Figure 13. After hitting submit you get redirected to the official Runescape website

After clicking on continue, you get redirected to the official Runescape website. More specifically, you get redirected to a forum search page. Weird, you thought you were to be redirected to the post of Sparc Mac to claim your free price? Probably, somewhere around now you start to realize that you may have given your precious Runescape account to a phisher. Oh well, now we all have a story that involves losing precious Runescape items. Lets say it creates character.

What can you do to be more secure?

So what are the take aways you can use to not fall for a phishing website?

  1. Look at the browser to verify if you are on the correct website
  2. If something on a website looks slightly different than you are used to, check the domain name of the website you are visiting
  3. If the offer looks too good to be true, it probably is
  4. If you are still in doubt of the legtimacy of the website you are visiting, you can go to VirusTotal and fill in the link
Figure 14. VirusTotal result of the Runescape phishing website
Figure 14. VirusTotal result of the Runescape phishing website

I hope this post gave you some insight in how a phishing website works. Be aware of phishing efforts, be vigilant and stay secure!

Updated: