Phishers Trick RuneScape Players with Moderator Positions

Security researchers from GFI Software warn of new phishing attacks targeting RuneScape players which tempt them to apply for Player Moderator positions.

RuneScape is a highly popular free massively multiplayer online role-playing game (MMORPG) from the fantasy genre.

It has an estimated 10 million active players each month and a total number of around 150 million registered accounts.

Christopher Boyd, a senior researcher at GFI, warns that a website recently spammed to RunScape players offered them the possibility to apply for staff positions.

The message on the rogue site read: "Attention Runescapers! To celebrate the Summer, we've made staff applications public to all Runescape players!

"Each day Runescape grows, we need more and more determined, friendly, and knowledgeable staff members.

"We have created a survey for this matter, and our team will choose the 100 most qualified to become player moderators."

The website displayed a survey with the requirements to qualify. These included completing the Security Stronghold minigame, never impersonating a Runescape or FunOrb Moderator, never being banned for scamming, never being muted for advertising, reporting at least 5 spammers and helping out at least 5 new players.

At the end of the survey there was a big button reading "Login Here to Apply," which, if clicked, led users to a fake RuneScape login page. Mr. Boyd points out that whatever username and passwords was typed into the form, the response was always "Login Successful."

Further investigation revealed a folder on the webserver was called "Solar's Ultimate Mod Phisher," suggesting that the attack was instrumented with help from a toolkit.

Online gaming credentials, even those for a free game, are valuable on the underground market. The thieves can sell special items found on in-game characters associated with the compromised accounts.

World of Warcraft (WoW), the world's most popular MMORPG game is also a big target for phishers. According to previous research from Symantec, WoW accounts can be sold for anything between $35 and $28,000, depending on how well the associated game character is developed.