0/100

critical Risk

osrsjagex.gamingvote.com

https://osrsjagex.gamingvote.com/portal/m=forum&forums320321&6265498749321openidread&state=D3uqAg4QCO=6265498749321&6265498749=authloginoauth2codejpp&6265498749=321&626549874321/

104.21.90.15 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

25 days

HTTP

200 · 19.5s

SSL

Valid· WE1, Google Trust Services, US

Status

COMPLETED

Visual Evidence

Zoom

Title: "Quitting! 30B Giveaway,Up Tp 600M For Each Player(LEVEL BASED)."

Save

Domain Intelligence: gamingvote.com

Scanned 13 times since Mar 10, 2026, 11:26 AM UTC

✗ Critical (100)

Registered-domain escalation suggested

Suggested now

Submit gamingvote.com as the primary IOC, enriched with evidence from hostile subdomains like osrsjagex.gamingvote.com.

4 hostile subdomains across 13 completed scans were observed under this registered domain. Recent hosts: osrsjagex.gamingvote.com, rsoldschools.gamingvote.com, rsoldschool.gamingvote.com, osrsaccount.gamingvote.com.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (1)Apr 4, 2026, 01:45 AM UTC

runescape-forum-clone-kit

high

Directives: skipAi, skipUnblocker, skipMobileVariant

RuneScape

Credential Phishing

gaming | technology | ecommerce · 4/5/2026

Summary

This site at account.osrforum.it impersonates RuneScape community/forum branding to lure users into posting or exposing credentials. The page title and UI resemble RuneScape forums, with Runescape header links and a RuneScape logo loaded from external storage, while the domain is not an official RuneScape domain. It hosts a login-style form gateway and multiple POST endpoints targeting a login challenge path, indicative of credential collection in a SPA-like environment.

Evidence Summary

▸Observed 3 capture stage(s); canonical stage is late_render_3s.

▸POST targets observed during capture: https://osrsjagex.gamingvote.com/cdn-cgi/rum?, https://osrsjagex.gamingvote.com/cdn-cgi/challenge-platform/h/b/jsd/oneshot/625261456364/0.7817804783352856:1775265325:9lEgtXSj-5PQZIRfZcd_-fz9U1Ge11kUB6c0pOFKFJo/9e6ca2669a458b88.

▸Distinctive asset clues: v8c78df7c7c0f484497ecbca7046644da1771523124516, main.js, fonts-101.css, pagesmz-146.css, generic.png, chat(1).png.

Capture

Stages: 3

Canonical: Late Render (+3s)

Changed: No

Credential Signals

Forms: 3

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 52

Hosts: 3

Domains: 3

Suspicious Endpoints

hxxps://osrsjagex[.]gamingvote[.]com/portal/assisted-login-login-challenge-dc197744c4a04124a6d04da6b85adcb4-238398720-1406457486-1694086910-1863512970-169408678563454200-2-238398720-140645748/

Attack Techniques (5)

Typosquatted/brand-masquerading domain presenting RuneScape forum UICloned SPA-like forum interface loading Runescape assets from external CDNLogin/assisted-login POST endpoints designed to capture credentials (even if inputs appear hidden in HTML)External scripts and tracking beacons (cloudflare insights) to evade scanners while serving real victimsSSL cert newly issued (0 days) and WAF/CDN presence (Cloudflare) often used to mask hosting while phishing

Indicators of Compromise (8)

▸DOMAIN: account.osrforum.it (not Runescape's official domain)

▸Page title: Quitting! 30B Giveaway,Up Tp 600M For Each Player(LEVEL BASED). (impersonation lure)

▸HTML forms: POST to https://account.osrforum.it/portal/assisted-login-login-challenge-dc197744c4a04124a6d04da6b85adcb4-... (inputs: none)

▸IFRAME sourcing content from account.osrforum.it and external assets under usb.databesa.cloud

▸SSL certificate issued Mar 8 2026 with SANs including account.osrforum.it and osrforum.it

▸External script: https://static.cloudflareinsights.com/beacon.min.js

▸Network requests fetch branding assets (header_logo.png, various forum-themed PNGs) from usb.databesa.cloud indicating cloned UI

▸Suspicious POST: /cdn-cgi/rum (likely Cloudflare minifier or analytics; indicates WAF interactions)

Risk AssessmentUsed in abuse reports

Scanner observed a domain impersonating a RuneScape community forum, with the page UI copying Runescape branding including the header, logo, and navigation. The page uses a newly issued SSL certificate and loads brand assets from external CDN domains, suggesting an attempt to impersonate a legitimate service and collect potentially sensitive input via POST endpoints. The presence of hidden form inputs and iframes indicates data exfiltration and credential harvesting risk. Immediate action recommended: suspend_domain and suspend_hosting to prevent further credential theft attempts; alert Runescape security team and monitor for similar clones.

Recommended Action

Suspend Domain

Cross-Reference8

URL Intelligence