22nd April 2005 - Warning Fansite users hijacked

Warning: fansite users getting hijacked

It has come to our attention that several users of a large RuneScape fansite have recently had their RuneScape password stolen. The fansite is an independent website, and isn't run by us or affiliated with us, but many of our users do choose to use it.

We don't know for sure, and we are basically trying to work this out from the pattern of attack, but it seems quite likely this was done by someone posting malicious content or images on the forums of the 3rd party fansite. People viewing that page then got infected with a keylogger which could be used to steal all their passwords.

I know it's hard to believe that just viewing a page on a forum could be enough to be infected with a keylogger, but there have actually historically already been a number of security flaws in the image code in web browsers which allowed exactly that! If you don't have ALL the latest patches you are at risk.

Our own forums deliberately don't allow users to post images or html exactly because of this security risk. Lots of people complain that we don't offer this feature, but we believe security is far more important than features. Unfortunately many third party fansites aren't as secure as ours with regards to this. Indeed we've noticed the attacker spreading recent rumours to try to persuade more people to use fan-site forums instead of ours, presumably so he can hack more people through them.

I would like to emphasize that we believe the security of our own servers and forums is in no way compromised. It appears that the accounts are being stolen not by targeting our servers, but by instead targeting the home computers of users. Possibly via fansite forums.

We have of course very thoroughly double checked our own server security as well, but can find no sign of intrusion, and the fact that the people being hijacked are users of the same fansite seems unlikely to be a coincidence.

We take our own security very seriously here, but our users still have to take good care of their own computer as well. It is essential that you are careful to keep your computer secure to prevent a keylogger being installed on it, we recommend EVERYONE pays close attention to the following advice:

1) Ensure your computer is fully patched. Go to www.windowsupdate.com and make sure you have all the latest patches for your machine and web-browser. You may have to reboot and visit the site several times to get all patches.

2) Make sure your web-browser and other software is the latest version. For example if you use FireFox to browse the web make sure you using the latest version (at the time of writing this is 1.0.3). Using out of date software is VERY risky.

3) DON'T use your password anywhere except runescape.com. It is very important NOT to use the same password for RuneScape and other websites.

4) Make sure you have anti-virus software installed, and your virus definitions are up to date! And perform regular scans of your computer.

5) You should also install anti-spyware to get the things your anti virus misses. For example the keylogger mentioned above doesn't appear to be spotted by Norton, but is spotted by ad-aware. Popular (free) anti-spyware programs are: Ad-Aware and Spybot

6) Even with all the latest patches and protection programs you should still be careful about what you download and run to avoid picking up anything nasty.

If you've recently used a fansite forum, then we recommend you follow the above steps (in order) to secure and clean your computer. If steps 4 or 5 find anything you should obviously remove it and change your password.


The above was taken from Runecsape.com and can be found by clicking Here. Then in the upper right corner in the box labeled "Latest News and Updates" click to see the full list of news and updates by clicking where it says "click here". Then look for the customer support update from April 22 titled "Warning Fansite users hijacked". All of the above was copied straight from there for your convenience.

More Links for one of the viruses in question, the Black Angel Virus