article featured image


RuneScape is a fantasy multiplayer online role-playing game (MMORPG) that was created and marketed by Jagex. The game was first made available in January of 2001. RuneScape was initially a Java-based browser game constructed using the C++ programming language. However, in 2016, the Java-based client was mostly phased out in favor of a standalone C++ client. The game now holds the title of the biggest and most frequently updated free massively multiplayer online role-playing game (MMORPG) in the world, according to Guinness World Records.

What Happened?

Researchers working in the field of cybersecurity have uncovered a new phishing operation with a RuneScape theme that sticks out among the others because of how extraordinarily well-crafted it is.

The most recent phishing attack, which Malwarebytes discovered, sends a false email change notification to players of both the Old School and the standard (RuneScape 3) versions of the game in an effort to steal their personal information.

The first email purports to come from Jagex support, the company that develops and publishes the RuneScape series and informs the recipient of a successful email change for both versions. The email claims to originate from Jagex support.


You have successfully changed the registered email address for your RuneScape and Old School RuneScape account.

Your account log-in details remain unchanged but your registered email address for all future password resets will be: [email removed]

To cancel this change, please click on the button below.


Button not working for you? Copy the URL below into your browser:


According to the notification, all of the login information has remained the same; however, the email address that is recorded for any future password resets has been changed to an invalid address.

Those who have received this email and do not agree with the modification should click the “CANCEL CHANGE” button, which can be found in the main body of the message. Scammers will also supply a URL for victims to manually copy and paste into their browsers in the event that the button does not function properly.

In both instances, the victim is sent to a phishing website that has a domain name that is similar to the real gateway and makes use of artwork and design that are authentic in order to give the impression that it is authentic.

Users are prompted to submit their login credentials via this false login in order to revoke their request to alter the email address that is linked with their account.

The victims are able to input their credentials on the phishing site since the account’s credentials have not been updated. The victim is then prompted to enter their RuneScape in-game bank PIN on a second site that loads once they have completed the previous step.

Banks are virtual game item stashes that players establish in RuneScape by either paying real money or spending a significant amount of time acquiring rare in-game things. Players may build a bank by any of these two methods.

Phishing victims give the criminals full access to all of the items they have collected by handing over their bank PIN and account credentials. The criminals can then transfer the items to other accounts or take control of the accounts and sell the items to people who are interested in purchasing them.

According to Malwarebytes, the stolen information is sent to the perpetrators of the assault through a Discord Webhook, which then broadcasts the information to a channel that is controlled by the perpetrators. The code that runs on the phony login page is written in JavaScript.

There, the threat actors may be waiting for fresh communications to come while sitting and waiting and then moving fast to gain control of the accounts of their victims before the authentication credentials expire.

Today, Cyble issued a report on a new version of the information-stealing malware Hazard Token Grabber. This variant of the virus additionally uses webhooks to exfiltrate stolen data to Discord channels.

Since malware operators realized its potential, there has been a dramatic increase in the amount of abuse of Discord Webhooks. Although the platform has confirmed to BleepingComputer that it is actively identifying and preventing this activity, it is evident that the number of malicious actions is much too large for them to be able to control it.

Stay Safe from This Type of Phishing Attempts

As BleepingComputer explained, if you play RuneScape and are concerned about the safety of your account, you should be aware that Jagex support will never alter your email address unless you accept the action. Therefore, any emails that claim to be a “surprise” to you are fraudulent attempts to steal your personal information.

It is imperative that any strange communications be reported to the game’s phishing report center, which can be found on the game’s official forums. If you want to protect other players from such scams, play the game.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *