A brand new phishing-as-a-service (PhaaS) platform named ‘Rockstar 2FA’ has emerged, facilitating large-scale adversary-in-the-middle (AiTM) assaults to steal Microsoft 365 credentials.
Like different AiTM platforms, Rockstar 2FA permits attackers to bypass multifactor authentication (MFA) protections on focused accounts by intercepting legitimate session cookies.
These assaults work by directing victims to a pretend login web page that mimics Microsoft 365 and tricking them into coming into their credentials.
The AiTM server acts as a proxy, forwarding these credentials to Microsoft’s reputable service to finish the authentication course of after which captures the cookie when it’s despatched again to the goal’s browser.
This cookie can then be utilized by the menace actors for direct entry to the sufferer’s account, even when it is MFA protected, with the menace actor not needing the credentials in any respect.
Rise of Rockstar 2FA
Trustwave experiences that Rockstar 2FA is definitely an up to date model of the phishing kits DadSec and Phoenix, which gained traction in early and late 2023 respectively.
The researchers say Rockstar 2FA has gained vital recognition within the cybercrime neighborhood since August 2024, promoting for $200 for 2 weeks or $180 for API entry renewal.
The service is promoted on Telegram, amongst different locations, boasting an extended listing of options like:
- Assist for Microsoft 365, Hotmail, Godaddy, SSO
- Randomized supply code and hyperlinks to evade detection
- Cloudflare Turnstile Captcha integration for sufferer screening
- Automated FUD attachments and hyperlinks
- Consumer-friendly admin panel with real-time logs and backup choices
- A number of login web page themes with automated group branding (emblem, background)
The service has arrange over 5,000 phishing domains since Might 2024, facilitating numerous phishing operations.
The researchers say that the associated phishing campaigns they noticed abuse reputable e-mail advertising platforms or compromised accounts for disseminating malicious messages to targets.
The messages use quite a lot of lures, together with document-sharing notifications, IT division notices, password reset alerts, and payroll-related messages.
Trustwave says these messages make the most of a spread of block evasion strategies together with QR codes, inclusion of hyperlinks from reputable shortening providers, and PDF attachments.
A Cloudflare turnstile problem is used to filter out bots, whereas the assault additionally possible consists of IP checks earlier than legitimate targets are directed to a Microsoft 365 login phishing web page.
If the customer is deemed a bot, safety researcher, or an out-of-scope goal normally, they’re redirected to a innocent car-themed decoy web page as an alternative.
The JavaScript on the touchdown web page decrypts and retrieves both the phishing web page or the car-themed decoy primarily based on the AiTM server’s analysis of the customer.
The emergence and proliferation of Rockstar 2FA mirror the persistence of phishing operators, who proceed to supply illicit providers regardless of vital regulation enforcement operations taking down one of many largest PhaaS platforms just lately and arresting its operators.
So long as these commodity instruments proceed to be accessible for cybercriminals at a low price, the chance of large-scale efficient phishing operations stays vital.