Cyber security news for all

More

    Rockstar2FA Collapse Spurs Rise of FlowerStorm Phishing-as-a-Service

    A disruption to the phishing-as-a-service (PhaaS) platform known as Rockstar2FA has created fertile ground for the rapid proliferation of a competing service, FlowerStorm, which has quickly gained traction among cybercriminals.

    “Evidence suggests the Rockstar2FA operation suffered a partial infrastructure failure, as its associated pages are now inaccessible,” Sophos revealed in a recent report. “This appears to stem from a backend technical malfunction rather than an intentional takedown effort.”

    The Rise and Fall of Rockstar2FA

    Originally detailed by Trustwave in late October, Rockstar2FA emerged as a potent PhaaS offering. The platform empowered malicious actors to orchestrate phishing campaigns designed to harvest Microsoft 365 credentials and session cookies, effectively bypassing multi-factor authentication (MFA) safeguards.

    Rockstar2FA is believed to be a successor to the DadSec phishing kit, tracked by Microsoft under the moniker Storm-1575. Phishing pages linked to the service have predominantly utilized domains ending in .com, .de, .ru, and .moscow. However, the reliance on .ru domains has reportedly diminished over time.

    The service suffered a significant outage on November 11, 2024, with redirections to decoy pages producing Cloudflare time-out errors and counterfeit login portals failing to load. The cause of this technical disruption remains unclear.

    FlowerStorm Steps into the Breach

    The collapse of Rockstar2FA has coincided with an uptick in phishing operations attributed to FlowerStorm, a relatively new entrant active since June 2024. Sophos noted striking similarities between the two services, including shared phishing portal designs and backend mechanisms for credential theft. This overlap suggests the possibility of a shared origin or collaboration between the two entities.

    Both platforms have been observed exploiting Cloudflare Turnstile technology, a CAPTCHA solution designed to differentiate human users from bots, as part of their credential-harvesting schemes.

    Sophos hypothesizes that the Rockstar2FA disruption may signify a strategic reorganization, a personnel shift, or a deliberate effort to bifurcate the two operations. However, no concrete evidence currently links the two services definitively.

    Targeted Regions and Sectors

    FlowerStorm’s phishing campaigns have focused primarily on the United States, Canada, the United Kingdom, Australia, Italy, Switzerland, Puerto Rico, Germany, Singapore, and India. The service industry—notably engineering, construction, real estate, legal services, and consulting firms—has borne the brunt of these attacks.

    Implications for Cybersecurity

    The findings underscore a broader trend: the increasing reliance of cybercriminals on commoditized PhaaS tools and services. These platforms enable even technically unsophisticated actors to launch large-scale cyberattacks with relative ease.

    As FlowerStorm’s rise illustrates, the collapse of one cybercriminal service often leads to the rapid emergence of alternatives, perpetuating the cycle of online threats. Cybersecurity defenders must remain vigilant against the constantly evolving tactics of malicious actors leveraging such services.

    Recent Articles

    Related Stories