The cybercrime landscape is constantly evolving, with new threats and trends emerging all the time. One recent development in the world of cybercrime is the downfall of the Rockstar 2FA cybercrime-as-a-service operation. According to cybersecurity firm Sophos, Rockstar 2FA, which was known for delivering prolific phishing-as-a-service hits, has crashed and burned due to infrastructure problems.
Rockstar 2FA, which debuted in late 2023, saw a surge in attacks tied to the toolkit in August. These attacks largely directed potential victims to fake Microsoft 365 or Office 365 login pages, many of which had an automotive theme. Some attacks also involved the use of malicious QR codes to bypass security tools and redirect users to phishing sites controlled by the attackers.
Phishing-as-a-service kits like Rockstar 2FA are designed to make it easier for cybercriminals to launch phishing campaigns by providing them with pre-built login screens and backend infrastructure. These kits often market themselves based on their ease of use and value for money, making them popular among would-be cybercriminals.
Unfortunately for Rockstar 2FA and its subscribers, the entire operation went offline on Nov. 11. While some speculated that law enforcement or rival cybercriminal groups may have been responsible for the takedown, Sophos believes it was due to technical issues plaguing the operators. Despite efforts to restore service, the Rockstar 2FA infrastructure remains inaccessible.
In the wake of Rockstar 2FA’s demise, a new cybercrime-as-a-service operation has emerged—FlowerStorm. Security researchers have noted several similarities between FlowerStorm and Rockstar 2FA, including attempts to abuse Cloudflare’s content delivery network. FlowerStorm, which is believed to have first launched in June, has seen a surge in activity following Rockstar 2FA’s shutdown.
FlowerStorm, named by researchers for its use of flower-themed HTML titles, has quickly become a popular tool among cybercriminals. However, the rapid ramp-up of FlowerStorm has led to mistakes and misconfigurations in its operations, making it vulnerable to disruption.
The top targets for users of FlowerStorm are primarily employees of U.S. organizations, followed by employees of organizations based in Canada, the United Kingdom, Australia, Italy, and Switzerland. Other countries like Singapore, India, Israel, New Zealand, and the United Arab Emirates make up the remaining targets.
It is worth noting that FlowerStorm may have ties to other cybercrime operations, such as DadSec and Phoenix. Researchers believe that Rockstar 2FA is an update of the DadSec phishing kit, which was responsible for a high volume of phishing attacks tracked by Microsoft. Many phishing kits, including DadSec, are used for multi-stage attacks designed to compromise identities or perform other malicious actions.
Overall, the cybercrime landscape is constantly evolving, with new threats and trends emerging all the time. The downfall of Rockstar 2FA and the rise of FlowerStorm showcase the adaptability and resilience of cybercriminals in the face of security measures and law enforcement actions. As cybercriminals continue to evolve their tactics, it is crucial for organizations and individuals to stay vigilant and adopt robust cybersecurity measures to protect against phishing and other cyber threats.