0/100

critical Risk

osrsforums.com-assisted-login-login-challenge-dc197744c4a04124a6d04da6b85a.workers.dev

https://osrsforums.com-assisted-login-login-challenge-dc197744c4a04124a6d04da6b85a.workers.dev/portal/m-forum-forums320-321-6265498749-321-6265498749-321-6265498749-321-6265498749-321-626549874-321/

172.67.192.36 · Cloudflare, Inc.

Location

Toronto, Canada

Domain Age

2592 days

HTTP

200 · 9.0s

SSL

Valid· E7, Let's Encrypt, US

Status

COMPLETED

Visual Evidence

Screenshot of osrsforums.com-assisted-login-login-challenge-dc197744c4a04124a6d04da6b85a.workers.dev

Zoom

Title: "Quitting! 30B Giveaway,Up Tp 600M For Each Player(LEVEL BASED)."

Save

Domain Intelligence: workers.dev

Scanned 3 times since Mar 10, 2026, 03:40 AM UTC

✗ Critical (100)

Registered-domain escalation suggested

Suggested now

Submit workers.dev as the primary IOC, enriched with evidence from hostile subdomains like osrsforums.com-assisted-login-login-challenge-dc197744c4a04124a6d04da6b85a.workers.dev.

2 hostile subdomains across 3 completed scans were observed under this registered domain. Recent hosts: osrsforums.com-assisted-login-login-challenge-dc197744c4a04124a6d04da6b85a.workers.dev, jagex-forums.com-uk.workers.dev.

Take this site down

Report to 50+ vendors instantly

KB/IOK Matches (1)—

runescape-forum-clone-kit

high

Directives: skipAi, skipUnblocker, skipMobileVariant

RuneScape

Credential Phishing

gaming | technology | ecommerce · 4/5/2026

Summary

This site at account.osrforum.it impersonates RuneScape community/forum branding to lure users into posting or exposing credentials. The page title and UI resemble RuneScape forums, with Runescape header links and a RuneScape logo loaded from external storage, while the domain is not an official RuneScape domain. It hosts a login-style form gateway and multiple POST endpoints targeting a login challenge path, indicative of credential collection in a SPA-like environment.

Evidence Summary

▸Observed 1 capture stage(s); canonical stage is settled_render.

▸Distinctive asset clues: fonts-101.css, components-146.css, track, header_logo.png.

Capture

Stages: 1

Canonical: Settled Render

Changed: No

Credential Signals

Forms: 3

Password fields: 0

Late-stage login UI: No

Resource Signals

Resources: 48

Hosts: 2

Domains: 1

Suspicious Endpoints

hxxps://osrsforums[.]com-assisted-login-login-challenge-dc197744c4a04124a6d04da6b85a[.]workers[.]dev/portal/assisted-login-login-challenge-dc197744c4a04124a6d04da6b85adcb4-238398720-1406457486-1694086910-1863512970-169408678563454200-2-238398720-140645748/

Attack Techniques (5)

Typosquatted/brand-masquerading domain presenting RuneScape forum UICloned SPA-like forum interface loading Runescape assets from external CDNLogin/assisted-login POST endpoints designed to capture credentials (even if inputs appear hidden in HTML)External scripts and tracking beacons (cloudflare insights) to evade scanners while serving real victimsSSL cert newly issued (0 days) and WAF/CDN presence (Cloudflare) often used to mask hosting while phishing

Indicators of Compromise (8)

▸DOMAIN: account.osrforum.it (not Runescape's official domain)

▸Page title: Quitting! 30B Giveaway,Up Tp 600M For Each Player(LEVEL BASED). (impersonation lure)

▸HTML forms: POST to https://account.osrforum.it/portal/assisted-login-login-challenge-dc197744c4a04124a6d04da6b85adcb4-... (inputs: none)

▸IFRAME sourcing content from account.osrforum.it and external assets under usb.databesa.cloud

▸SSL certificate issued Mar 8 2026 with SANs including account.osrforum.it and osrforum.it

▸External script: https://static.cloudflareinsights.com/beacon.min.js

▸Network requests fetch branding assets (header_logo.png, various forum-themed PNGs) from usb.databesa.cloud indicating cloned UI

▸Suspicious POST: /cdn-cgi/rum (likely Cloudflare minifier or analytics; indicates WAF interactions)

Risk AssessmentUsed in abuse reports

Scanner observed a domain impersonating a RuneScape community forum, with the page UI copying Runescape branding including the header, logo, and navigation. The page uses a newly issued SSL certificate and loads brand assets from external CDN domains, suggesting an attempt to impersonate a legitimate service and collect potentially sensitive input via POST endpoints. The presence of hidden form inputs and iframes indicates data exfiltration and credential harvesting risk. Immediate action recommended: suspend_domain and suspend_hosting to prevent further credential theft attempts; alert Runescape security team and monitor for similar clones.

Recommended Action

Suspend Domain

Cross-Reference8

URL Intelligence