An interruption to the phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA has led to a rapid uptick in activity from another nascent offering named FlowerStorm.
“It appears that the [Rockstar2FA] group running the service experienced at least a partial collapse of its infrastructure, with pages associated with the service no longer reachable,” Sophos said in a new report published last week. “This does not appear to be because of a takedown action, but due to some technical failure on the backend of the service.”
Rockstar2FA was first documented by Trustwave late last month as a PhaaS service that allows criminal actors to launch phishing attacks that are capable of harvesting Microsoft 365 account credentials and session cookies, thereby circumventing multi-factor authentication (MFA) protections.
The service is assessed to be an updated version of the DadSec phishing kit, which is tracked by Microsoft under the name Storm-1575. A majority of the phishing pages have been found to be hosted on .com, .de, .ru. and .moscow top-level domains, although the use of .ru domains is believed to have shrunk over time.
Rockstar2FA appears to have suffered a technical interruption on November 11, 2024, when redirects to intermediate decoy pages generated Cloudflare time-out errors and the counterfeit login pages failed to load.
While it’s not clear what caused the disruption, the void left by the PhaaS toolkit has resulted in a surge in phishing activity associated with FlowerStorm, which has been active since at least June 2024.
Sophos said that both the services share similarities when it comes to the format of the phishing portal pages and the methods used to connect to the backend servers for credential harvesting, raising the possibility of a common ancestry. They also abuse Cloudflare Turnstile in order to ensure that the incoming page requests are not from bots.
It’s suspected that the November 11 disruption represents either a strategic pivot in one of the groups, a change in personnel running them, or an intentional effort to decouple the twin operations. There is no definitive evidence linking the two services at this stage.
The most frequently targeted countries using FlowerStorm include the United States, Canada, the United Kingdom, Australia, Italy, Switzerland, Puerto Rico, Germany, Singapore, and India.
“The most heavily targeted sector is the service industry, with particular focus on firms providing engineering, construction, real estate, and legal services and consulting,” Sophos said.
If anything, the findings once again illustrate the ongoing trend of attackers using cybercriminal services and commodity tools to carry out cyber attacks at scale even without requiring much technical expertise.
