An interruption to the phishing-as-a-service (PhaaS) toolkit known as Rockstar 2FA has led to a fast uptick in exercise from one other nascent providing named FlowerStorm.
“It seems that the [Rockstar2FA] group working the service skilled not less than a partial collapse of its infrastructure, with pages related to the service now not reachable,” Sophos stated in a brand new report printed final week. “This doesn’t seem like due to a takedown motion, however as a consequence of some technical failure on the backend of the service.”
Rockstar2FA was first documented by Trustwave late final month as a PhaaS service that enables felony actors to launch phishing assaults which can be able to harvesting Microsoft 365 account credentials and session cookies, thereby circumventing multi-factor authentication (MFA) protections.
The service is assessed to be an up to date model of the DadSec phishing package, which is tracked by Microsoft underneath the title Storm-1575. A majority of the phishing pages have been discovered to be hosted on .com, .de, .ru. and .moscow top-level domains, though the usage of .ru domains is believed to have shrunk over time.
Rockstar2FA seems to have suffered a technical interruption on November 11, 2024, when redirects to intermediate decoy pages generated Cloudflare time-out errors and the counterfeit login pages didn’t load.
Whereas it isn’t clear what brought on the disruption, the void left by the PhaaS toolkit has resulted in a surge in phishing exercise related to FlowerStorm, which has been energetic since not less than June 2024.
Sophos stated that each the providers share similarities in the case of the format of the phishing portal pages and the strategies used to connect with the backend servers for credential harvesting, elevating the opportunity of a standard ancestry. In addition they abuse Cloudflare Turnstile in an effort to be certain that the incoming web page requests should not from bots.
It is suspected that the November 11 disruption represents both a strategic pivot in one of many teams, a change in personnel working them, or an intentional effort to decouple the dual operations. There isn’t any definitive proof linking the 2 providers at this stage.
Essentially the most steadily focused nations utilizing FlowerStorm embody the US, Canada, the UK, Australia, Italy, Switzerland, Puerto Rico, Germany, Singapore, and India.
“Essentially the most closely focused sector is the service trade, with specific deal with companies offering engineering, development, actual property, and authorized providers and consulting,” Sophos stated.
If something, the findings as soon as once more illustrate the continued development of attackers utilizing cybercriminal providers and commodity instruments to hold out cyber assaults at scale even with out requiring a lot technical experience.