An interruption to the phishing-as-a-service (PhaaS) toolkit referred to as Rockstar 2FA has led to a speedy uptick in exercise from one other nascent providing named FlowerStorm.
“It seems that the [Rockstar2FA] group working the service skilled a minimum of a partial collapse of its infrastructure, with pages related to the service not reachable,” Sophos stated in a brand new report printed final week. “This doesn’t look like due to a takedown motion, however attributable to some technical failure on the backend of the service.”
Rockstar2FA was first documented by Trustwave late final month as a PhaaS service that permits prison actors to launch phishing assaults which might be able to harvesting Microsoft 365 account credentials and session cookies, thereby circumventing multi-factor authentication (MFA) protections.
The service is assessed to be an up to date model of the DadSec phishing package, which is tracked by Microsoft beneath the identify Storm-1575. A majority of the phishing pages have been discovered to be hosted on .com, .de, .ru. and .moscow top-level domains, though the usage of .ru domains is believed to have shrunk over time.
Rockstar2FA seems to have suffered a technical interruption on November 11, 2024, when redirects to intermediate decoy pages generated Cloudflare time-out errors and the counterfeit login pages didn’t load.
Whereas it is not clear what triggered the disruption, the void left by the PhaaS toolkit has resulted in a surge in phishing exercise related to FlowerStorm, which has been energetic since a minimum of June 2024.
Sophos stated that each the providers share similarities on the subject of the format of the phishing portal pages and the strategies used to hook up with the backend servers for credential harvesting, elevating the potential of a typical ancestry. Additionally they abuse Cloudflare Turnstile to be able to make sure that the incoming web page requests usually are not from bots.
It is suspected that the November 11 disruption represents both a strategic pivot in one of many teams, a change in personnel working them, or an intentional effort to decouple the dual operations. There isn’t a definitive proof linking the 2 providers at this stage.
Essentially the most continuously focused international locations utilizing FlowerStorm embrace the USA, Canada, the UK, Australia, Italy, Switzerland, Puerto Rico, Germany, Singapore, and India.
“Essentially the most closely focused sector is the service business, with explicit give attention to corporations offering engineering, development, actual property, and authorized providers and consulting,” Sophos stated.
If something, the findings as soon as once more illustrate the continued development of attackers utilizing cybercriminal providers and commodity instruments to hold out cyber assaults at scale even with out requiring a lot technical experience.
