A break in the Phishing as a Service (PhaaS) toolkit was caused. Rockstar 2FA led to a rapid uptick in activity due to another nascent offering called FlowerStorm.
“It appears that the group (Rockstar2FA) running the service has experienced at least a partial collapse of their infrastructure, and pages related to the service are no longer accessible,” Sophos said. said in a new report published last week. “It appears that this was not due to a takedown, but due to some technical failure in the server side of the service.”
Rockstar2FA was documented for the first time by Trustwave late last month as a PhaaS service that allows criminals to launch phishing attacks capable of harvesting Microsoft 365 account credentials and session cookies, thereby bypassing multi-factor authentication (MFA) protections.
The service is billed as an updated version of a Microsoft-tracked DadSec phishing kit called Storm-1575. It was found that most phishing pages are hosted on .com, .de, .ru. and .moscow top-level domains, although the use of .ru domains is believed to have declined over time.
Rockstar2FA appears to have experienced a technical failure on November 11, 2024, when redirects to intermediate decoy pages caused Cloudflare timeout errors and failed to load fake login pages.
While it’s unclear what caused the failure, the void left by the PhaaS toolkit led to a surge in phishing activity linked to FlowerStorm, which has been active since at least June 2024.
Sophos said the two services share similarities when it comes to the format of phishing portal pages and the methods used to connect to back-end servers to collect credentials, raising the possibility of a common origin. They also abuse Cloudflare turnstile to ensure that incoming requests to the page are not from bots.
There are suspicions that the November 11 failure represents either a strategic shift in one of the groups, a change in the personnel running them, or a deliberate attempt to separate the twin operations. At this stage, there is no definitive evidence linking the two services.
The countries that use FlowerStorm the most include the United States, Canada, the United Kingdom, Australia, Italy, Switzerland, Puerto Rico, Germany, Singapore, and India.
“The service sector most affected is the services industry, with a particular focus on companies that provide engineering, construction, real estate, legal services and consulting,” Sophos said.
In any case, the obtained data once again illustrates the long-term trend of attackers using cybercriminal services and commercial tools to carry out large-scale cyberattacks without even requiring special technical knowledge.
