khaosdev.ca

https://khaosdev.ca/portal/medieval-legends-competition-c1c7m4j4e3j9m6a9v9a9g9g6h0r1

209.54.112.238 · EZProvider Networks, Inc.

Location

Vancouver, Canada

Domain Age

2980 days

HTTP

200 · 20.9s

SSL

Valid· R13, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Quitting! 30b Giveaway,up to 600M for each player (level based)."

Save

Linked Phishing Report

This scan is attached to a vendor submission report

Brand

RuneScape

Vendors

30/30

Status

completed

✓ avg✓ avast✓ eset✓ sophos✓ brightcloud✓ norton✓ microsoft✓ emsisoft✓ apwg✓ apple✓ netcraft✓ isitphish✓ urlquery✓ cisa✓ spamhaus✓ openphish✓ urlscan✓ phishtank✓ phishreport✓ polyswarm✓ yandex✓ virustotal✓ drweb✓ bitdefender✓ urlabuse✓ threatyeti✓ mcafee✓ google✓ kaspersky✓ fortiguard

KB/IOK Matches (1)Mar 9, 2026, 12:22 PM UTC

runescape-forum-clone-kit

high

Directives: skipAi, skipUnblocker, skipMobileVariant

RuneScape

Credential Phishing

gaming | technology | ecommerce · 4/5/2026

Summary

This site at account.osrforum.it impersonates RuneScape community/forum branding to lure users into posting or exposing credentials. The page title and UI resemble RuneScape forums, with Runescape header links and a RuneScape logo loaded from external storage, while the domain is not an official RuneScape domain. It hosts a login-style form gateway and multiple POST endpoints targeting a login challenge path, indicative of credential collection in a SPA-like environment.

Attack Techniques (5)

Typosquatted/brand-masquerading domain presenting RuneScape forum UICloned SPA-like forum interface loading Runescape assets from external CDNLogin/assisted-login POST endpoints designed to capture credentials (even if inputs appear hidden in HTML)External scripts and tracking beacons (cloudflare insights) to evade scanners while serving real victimsSSL cert newly issued (0 days) and WAF/CDN presence (Cloudflare) often used to mask hosting while phishing

Indicators of Compromise (8)

▸DOMAIN: account.osrforum.it (not Runescape's official domain)

▸Page title: Quitting! 30B Giveaway,Up Tp 600M For Each Player(LEVEL BASED). (impersonation lure)

▸HTML forms: POST to https://account.osrforum.it/portal/assisted-login-login-challenge-dc197744c4a04124a6d04da6b85adcb4-... (inputs: none)

▸IFRAME sourcing content from account.osrforum.it and external assets under usb.databesa.cloud

▸SSL certificate issued Mar 8 2026 with SANs including account.osrforum.it and osrforum.it

▸External script: https://static.cloudflareinsights.com/beacon.min.js

▸Network requests fetch branding assets (header_logo.png, various forum-themed PNGs) from usb.databesa.cloud indicating cloned UI

▸Suspicious POST: /cdn-cgi/rum (likely Cloudflare minifier or analytics; indicates WAF interactions)

Risk AssessmentUsed in abuse reports

Scanner observed a domain impersonating a RuneScape community forum, with the page UI copying Runescape branding including the header, logo, and navigation. The page uses a newly issued SSL certificate and loads brand assets from external CDN domains, suggesting an attempt to impersonate a legitimate service and collect potentially sensitive input via POST endpoints. The presence of hidden form inputs and iframes indicates data exfiltration and credential harvesting risk. Immediate action recommended: suspend_domain and suspend_hosting to prevent further credential theft attempts; alert Runescape security team and monitor for similar clones.

Recommended Action

Suspend Domain

Cross-Reference9

URL Intelligence