Phishing-as-a-Service “Rockstar 2FA” Targets Microsoft 365 Users with AiTM Attacks

Cyber Security

Nov 29, 2024Ravie LakshmananCybercrime / Cloud Security

Cybersecurity researchers are warning about malicious email campaigns leveraging a phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA with an aim to steal Microsoft 365 account credentials.

“This campaign employs an AitM [adversary-in-the-middle] attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multi-factor authentication (MFA) enabled can still be vulnerable,” Trustwave researchers Diana Solomon and John Kevin Adriano said.

Rockstar 2FA is assessed to be an updated version of the DadSec (aka Phoenix) phishing kit. Microsoft is tracking the developers and distributors of the Dadsec PhaaS platform under the moniker Storm-1575.

Like its predecessors, the phishing kit is advertised via services like ICQ, Telegram, and Mail.ru under a subscription model for $200 for two weeks (or $350 for a month), allowing cyber criminals with little-to-no technical expertise to mount campaigns at scale.

Some of the promoted features of Rockstar 2FA include two-factor authentication (2FA) bypass, 2FA cookie harvesting, antibot protection, login page themes mimicking popular services, fully undetectable (FUD) links, and Telegram bot integration.

It also claims to have a “modern, user-friendly admin panel” that enables customers to track the status of their phishing campaigns, generate URLs and attachments, and even personalize themes that are applied to the created links.

Email campaigns spotted by Trustwave leverage diverse initial access vectors such as URLs, QR codes, and document attachments, which are embedded within messages sent from compromised accounts or spamming tools. The emails make use of various lure templates ranging from file-sharing notifications to requests for e-signatures.

Besides using legitimate link redirectors (e.g., shortened URLs, open redirects, URL protection services, or URL rewriting services) as a mechanism to bypass antispam detection, the kit incorporates antibot checks using Cloudflare Turnstile in an attempt to deter automated analysis of the AitM phishing pages.

Trustwave said it observed the platform utilizing legitimate services like Atlassian Confluence, Google Docs Viewer, LiveAgent, and Microsoft OneDrive, OneNote, and Dynamics 365 Customer Voice to host the phishing links, highlighting that threat actors are taking advantage of the trust that comes with such platforms.

“The phishing page design closely resembles the sign-in page of the brand being imitated despite numerous obfuscations applied to the HTML code,” the researchers said. “All the data provided by the user on the phishing page is immediately sent to the AiTM server. The exfiltrated credentials are then used to retrieve the session cookie of the target account.”

The disclosure comes as Malwarebytes detailed a phishing campaign dubbed Beluga that employs .HTM attachments to dupe email recipients into entering their Microsoft OneDrive credentials on a bogus login form, which are then exfiltrated to a Telegram bot.

Phishing links and deceptive betting game ads on social media have also been found to push adware apps like MobiDash as well as fraudulent financial apps that steal personal data and money under the guise of promising quick returns.

“The betting games advertised are presented as legitimate opportunities to win money, but they are carefully designed to trick users into depositing funds, which they may never see again,” Group-IB CERT analyst Mahmoud Mosaad said.

“Through these fraudulent apps and websites, scammers would steal both personal and financial information from users during the registration process. Victims can suffer significant financial losses, with some reporting losses of more than US$10,000.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.