FlowerStorm PaaS Platform Attacking Microsoft Customers With Faux Login Pages

Rockstar2FA is a PaaS equipment that mimics the authentic credential-request habits of cloud/SaaS platforms. Phishing campaigns are delivered by way of Telegram and use distinctive URLs to route customers to credential-capturing counterfeit login pages. 

These pages masquerade as standard companies and steal login credentials together with multifactor authentication tokens by way of HTTP POST requests to adversary-controlled backend servers. 

Whereas most phishing pages use domains registered in .com, .de, .ru and .moscow, a small portion leverage Cloudflare Pages for deployment with manually created subdomain names that depend on separate backend servers for exfiltrating stolen knowledge.   

Rockstar2FA phishing equipment skilled disruption on November eleventh the place the decoy pages didn’t redirect on account of a Cloudflare 522 error.

The portal pages additionally malfunctioned and didn’t load the counterfeit Microsoft login portal that indicating that the connection to the back-end server was severed.

Examine Actual-World Malicious Hyperlinks & Phishing Assaults With Risk Intelligence Lookup - Attempt for Free

Across the similar time, FlowerStorm phishing exercise surged, which is PaaS platform and has been lively since June 2024. FlowerStorm phishing pages talk with the backend server utilizing a subsequent.php file. 

The communication consists of person credentials and a JWT token for session monitoring, whereas the backend server can reply with success messages or MFA challenges. 

Some phishing pages talk with a subsequent.php file that’s situated on the identical area because the touchdown web page, whereas others don’t use the identical construction.

FlowerStorm and Rockstar2FA phishing portals exhibit robust similarities that counsel a possible hyperlink between their builders. Each make the most of comparable HTML constructions that embody Cloudflare turnstile keys and random textual content in feedback. 

Some options are shared between their backend communication strategies, corresponding to knowledge exfiltration primarily based on PHP and particular subject names for electronic mail validation and login occasions. 

In lots of circumstances, the timing of their area registrations and web page detections coincides, which can point out that they make the most of a shared infrastructure or that their operations are coordinated.

FlowerStorm is a paid phishing service that leverages infrastructure and communication strategies much like the earlier Rockstar2FA operation, together with PHP-based communication and electronic mail validation options. 

It primarily targets organizations in the US, Canada, and different Western nations by specializing in the service sector and divulges a choice for North American and European targets with the US accounting for almost all of assaults.

Sophos evaluation of Rockstar2FA and FlowerStorm signifies a potential shared origin on account of comparable equipment contents and area registration patterns. 

The diverging exercise post-November eleventh suggests a possible strategic shift, personnel modifications, infrastructure disruption, or deliberate decoupling to evade detection.

Whereas FlowerStorm’s speedy enlargement has resulted in operational errors that enable for disruption and supply insights into their backend infrastructure.

Integrating Utility Safety into Your CI/CD Workflows Utilizing Jenkins & Jira -> Free Webinar