Tuesday, December 24, 2024
HomeCyber SecurityRockstar2FA Collapse Fuels Growth of FlowerStorm Phishing-as-a-Service

Rockstar2FA Collapse Fuels Growth of FlowerStorm Phishing-as-a-Service


Dec 23, 2024Ravie LakshmananPhishing / Cybercrime

Rockstar2FA Collapse Fuels Growth of FlowerStorm Phishing-as-a-Service

An interruption to the phishing-as-a-service (PhaaS) toolkit known as Rockstar 2FA has led to a fast uptick in exercise from one other nascent providing named FlowerStorm.

“It seems that the [Rockstar2FA] group operating the service skilled no less than a partial collapse of its infrastructure, with pages related to the service not reachable,” Sophos mentioned in a brand new report revealed final week. “This doesn’t seem like due to a takedown motion, however as a consequence of some technical failure on the backend of the service.”

Rockstar2FA was first documented by Trustwave late final month as a PhaaS service that permits legal actors to launch phishing assaults which can be able to harvesting Microsoft 365 account credentials and session cookies, thereby circumventing multi-factor authentication (MFA) protections.

Cybersecurity

The service is assessed to be an up to date model of the DadSec phishing package, which is tracked by Microsoft below the identify Storm-1575. A majority of the phishing pages have been discovered to be hosted on .com, .de, .ru. and .moscow top-level domains, though the usage of .ru domains is believed to have shrunk over time.

FlowerStorm Phishing-as-a-Service

Rockstar2FA seems to have suffered a technical interruption on November 11, 2024, when redirects to intermediate decoy pages generated Cloudflare time-out errors and the counterfeit login pages did not load.

Whereas it is not clear what triggered the disruption, the void left by the PhaaS toolkit has resulted in a surge in phishing exercise related to FlowerStorm, which has been lively since no less than June 2024.

FlowerStorm Phishing-as-a-Service

Sophos mentioned that each the companies share similarities in terms of the format of the phishing portal pages and the strategies used to connect with the backend servers for credential harvesting, elevating the potential of a standard ancestry. Additionally they abuse Cloudflare Turnstile to be able to be sure that the incoming web page requests aren’t from bots.

It is suspected that the November 11 disruption represents both a strategic pivot in one of many teams, a change in personnel operating them, or an intentional effort to decouple the dual operations. There isn’t any definitive proof linking the 2 companies at this stage.

Cybersecurity

Essentially the most steadily focused international locations utilizing FlowerStorm embrace america, Canada, the UK, Australia, Italy, Switzerland, Puerto Rico, Germany, Singapore, and India.

“Essentially the most closely focused sector is the service trade, with explicit give attention to corporations offering engineering, development, actual property, and authorized companies and consulting,” Sophos mentioned.

If something, the findings as soon as once more illustrate the continuing pattern of attackers utilizing cybercriminal companies and commodity instruments to hold out cyber assaults at scale even with out requiring a lot technical experience.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments