The Rockstar2FA phishing kit, a Platform as a Service (PaaS) tool, is designed to replicate the authentic credential-request mechanisms of cloud/SaaS platforms. Cybercriminals use phishing campaigns distributed via Telegram, utilizing unique URLs to direct users to fake login pages where their login credentials and multifactor authentication tokens are stolen through HTTP POST requests to servers controlled by adversaries.

Most phishing pages usually operate under domains registered in .com, .de, .ru, and .moscow domains, with a minority leveraging Cloudflare Pages for deployment. These phishing pages make use of manually created subdomains that connect to separate backend servers to exfiltrate stolen data.

Unfortunately, on November 11th, the Rockstar2FA phishing kit faced disruptions when the decoy pages failed to redirect, displaying a Cloudflare 522 error. Additionally, the portal pages malfunctioned and were unable to load the counterfeit Microsoft login portal, indicating a severed connection to the backend server.

Coinciding with these disruptions, the FlowerStorm phishing activity saw a surge. FlowerStorm is another PaaS platform that has been operational since June 2024. The phishing pages of FlowerStorm communicate with backend servers using a next.php file, sharing similarities with Rockstar2FA in their methods of operation.

Both phishing platforms exhibit commonalities in their development, with similar HTML structures and shared backend communication methods. The timing of their domain registrations and page detections suggests a potential link between the two operations, indicating shared infrastructure or coordinated operations.

FlowerStorm, a paid phishing service, has similarities to Rockstar2FA in its infrastructure and communication methods, such as PHP-based communication and email validation features. FlowerStorm primarily targets organizations in the US, Canada, and other Western countries, focusing on the service sector and showing a preference for North American and European targets.

Analyses by Sophos of Rockstar2FA and FlowerStorm kits reveal similarities in content and domain registration patterns, indicating a possible shared origin. However, the divergent activities post-November 11th suggest strategic shifts, changes in personnel, infrastructure disruptions, or deliberate efforts to avoid detection.

While FlowerStorm’s rapid expansion has led to operational errors, providing insights into its backend infrastructure, Rockstar2FA faced disruptions that impacted its phishing operations. The cybersecurity landscape continues to evolve as threat actors adapt their tactics to evade detection and improve their phishing capabilities.

Source link