0/100

critical Risk

account.osrsforum.it

https://account.osrsforum.it/portal/assisted-login-login-challenge-dc197744c4a04124a6d04da6b85adcb4-238398720-1406457486-1694086910-1863512970-169408678563454200-2-238398720-140645748/

104.21.69.183 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

—

HTTP

200 · 16.9s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Choose how to log in | Jagex"

Save

Domain Intelligence: osrsforum.it

Scanned 3 times since Mar 9, 2026, 01:24 AM UTC

✗ Critical (100)

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

Jagex

Vendors

30/30

Status

completed

✓ spamhaus✓ urlscan✓ phishreport✓ urlquery✓ isitphish✓ emsisoft✓ cisa✓ avg✓ avast✓ yandex✓ apple✓ eset✓ microsoft✓ polyswarm✓ norton✓ bitdefender✓ sophos✓ brightcloud✓ openphish✓ apwg✓ netcraft✓ virustotal✓ drweb✓ mcafee✓ phishtank✓ urlabuse✓ google✓ kaspersky✓ threatyeti✓ fortiguard

Registered-domain escalation suggested

Suggested now

Submit osrsforum.it as the primary IOC, enriched with evidence from hostile subdomains like account.osrsforum.it.

2 hostile subdomains across 2 completed scans were observed under this registered domain. Recent hosts: account.osrsforum.it, jagexaccounts.osrsforum.it.

KB/IOK Matches (1)Mar 9, 2026, 06:11 AM UTC

jagex-clone-kit

high

Directives: skipAi, skipUnblocker, skipMobileVariant

Jagex

Credential Phishing

gaming | technology | education | other · 4/5/2026

Summary

This page presents a login interface that visually imitates Jagex, but the domain is account.osrforum.it, which is not the official Jagex domain. The page title reads 'Choose how to log in | Jagex' and the UI mimics Jagex's look (logo, fonts, and layout), including a login form and social login options, suggesting credential collection. The domain impersonation, SPA-like structure, and external script loading indicate a clone designed to harvest user credentials.

Attack Techniques (5)

Brand impersonation via domain not matching the brand (osrforum.it domain impersonating Jagex)Cloned login UI with Jagex logos and styling to lure credentialsExternal assets and JS bundles loaded with brand-specific filenames to replicate functionalitySPA-like page with dynamic elements and honeypot field detection to deter botsSSL certificate issued recently (0 days) on a phishing-like domain, indicating rapid setup

Indicators of Compromise (7)

▸DOMAIN: account.osrforum.it (not official Jagex domain)

▸PAGE TITLE: 'Choose how to log in | Jagex'

▸LOGO/IMGS: img/logo00.png and google.svg loaded from the compromised domain

▸NETWORK: script.js and google/apple login assets loaded from account.osrforum.it

▸FORM: POST to /portal/assisted-login-login-challenge-.../index.php (suspect credential capture)

▸SSL: cert issued Mar 8, 2026 to osrforum.it (valid through Jun 6, 2026) on a look-alike domain

▸POST: /cdn-cgi/rum? (CLOUDFLARE-typical analytics/anti-bot endpoints but could be abused for exfiltration)

Risk AssessmentUsed in abuse reports

Scanner evidence shows a phishing clone hosting under account.osrforum.it with a page title and UI strongly mimicking Jagex. The domain does not belong to Jagex, while assets and logos are loaded from the same impersonating domain, including image and JS assets that mirror Jagex branding. The presence of a login form configured to post to a suspicious index.php and a honeypot field indicates credential harvesting behavior. The SSL certificate is newly issued for a domain attempting to impersonate a well-known brand, and the page uses a Cloudflare IP, suggesting hosting behind a WAF but not legitimate ownership. This is a high-risk credential-phishing setup intended to deceive users into entering credentials for Jagex on a non-official domain.

Recommended Action

Monitor

Cross-Reference9

URL Intelligence