Cybersecurity researchers are warning about malicious e-mail campaigns leveraging a phishing-as-a-service (PhaaS) toolkit known as Rockstar 2FA with an intention to steal Microsoft 365 account credentials.
“This marketing campaign employs an AitM [adversary-in-the-middle] assault, permitting attackers to intercept consumer credentials and session cookies, which implies that even customers with multi-factor authentication (MFA) enabled can nonetheless be susceptible,” Trustwave researchers Diana Solomon and John Kevin Adriano stated.
Rockstar 2FA is assessed to be an up to date model of the DadSec (aka Phoenix) phishing package. Microsoft is monitoring the builders and distributors of the Dadsec PhaaS platform below the moniker Storm-1575.
Like its predecessors, the phishing package is marketed through companies like ICQ, Telegram, and Mail.ru below a subscription mannequin for $200 for 2 weeks (or $350 for a month), permitting cyber criminals with little-to-no technical experience to mount campaigns at scale.
Among the promoted options of Rockstar 2FA embody two-factor authentication (2FA) bypass, 2FA cookie harvesting, antibot safety, login web page themes mimicking widespread companies, absolutely undetectable (FUD) hyperlinks, and Telegram bot integration.
It additionally claims to have a “trendy, user-friendly admin panel” that permits clients to trace the standing of their phishing campaigns, generate URLs and attachments, and even personalize themes which might be utilized to the created hyperlinks.
E mail campaigns noticed by Trustwave leverage numerous preliminary entry vectors equivalent to URLs, QR codes, and doc attachments, that are embedded inside messages despatched from compromised accounts or spamming instruments. The emails make use of varied lure templates starting from file-sharing notifications to requests for e-signatures.
Moreover utilizing authentic hyperlink redirectors (e.g., shortened URLs, open redirects, URL safety companies, or URL rewriting companies) as a mechanism to bypass antispam detection, the package incorporates antibot checks utilizing Cloudflare Turnstile in an try to discourage automated evaluation of the AitM phishing pages.
Trustwave stated it noticed the platform using authentic companies like Atlassian Confluence, Google Docs Viewer, LiveAgent, and Microsoft OneDrive, OneNote, and Dynamics 365 Buyer Voice to host the phishing hyperlinks, highlighting that menace actors are profiting from the belief that comes with such platforms.
“The phishing web page design intently resembles the sign-in web page of the model being imitated regardless of quite a few obfuscations utilized to the HTML code,” the researchers stated. “All the info supplied by the consumer on the phishing web page is instantly despatched to the AiTM server. The exfiltrated credentials are then used to retrieve the session cookie of the goal account.”
The disclosure comes as Malwarebytes detailed a phishing marketing campaign dubbed Beluga that employs .HTM attachments to dupe e-mail recipients into getting into their Microsoft OneDrive credentials on a bogus login type, that are then exfiltrated to a Telegram bot.
Phishing hyperlinks and misleading betting recreation advertisements on social media have additionally been discovered to push adware apps like MobiDash in addition to fraudulent monetary apps that steal private information and cash below the guise of promising fast returns.
“The betting video games marketed are offered as authentic alternatives to win cash, however they’re rigorously designed to trick customers into depositing funds, which they might by no means see once more,” Group-IB CERT analyst Mahmoud Mosaad stated.
“By these fraudulent apps and web sites, scammers would steal each private and monetary info from customers throughout the registration course of. Victims can endure vital monetary losses, with some reporting losses of greater than US$10,000.”