Rockstar 2FA PhaaS Toolkit

Cybersecurity experts have raised concerns about a growing hazard: threatening email campaigns utilizing a Phishing-as-a-Service (PhaaS) toolkit known as Rockstar 2FA. This toolkit, designed to harvest Microsoft 365 account credentials, represents an advanced approach to phishing attacks.

By leveraging Adversary-in-The-Middle (AiTM) techniques, Rockstar 2FA enables attackers to intercept user credentials and session cookies. Alarmingly, even accounts protected with Multi-Factor Authentication (MFA) are vulnerable to these attacks, showcasing the evolving sophistication of cybercriminal operations.

Evolution from DadSec to Rockstar 2FA

Rockstar 2FA appears to be an upgraded iteration of the DadSec phishing kit, also known as Phoenix. Microsoft has been actively tracking its creators and distributors under the codename Storm-1575.

True to its PhaaS model, Rockstar 2FA is marketed on platforms like ICQ, Telegram, and Mail.ru. For a subscription fee of $200 for two weeks or $350 for a month, it allows even inexperienced cybercriminals to launch large-scale phishing campaigns with minimal technical knowledge.

Key Features Empowering Cybercriminals

The developers of Rockstar 2FA promote numerous features designed to enhance the effectiveness of phishing campaigns. These include:

• 2FA Bypass: Tools to sidestep Multi-Factor Authentication defenses.
• Session Hijacking: Harvesting cookies to gain unauthorized access.
• Antibot Protection: Mechanisms to block automated security scans.
• Customizable Login Pages: Themes mimicking trusted brands and services.
• Telegram Integration: Notifications and updates via Telegram bots.

Additionally, its 'modern, user-friendly admin panel' allows users to manage their campaigns efficiently, from generating phishing links to personalizing templates for greater authenticity.

Exploiting Trust through Familiar Tools

One of the standout tactics employed by Rockstar 2FA campaigns is the strategic use of trusted platforms such as Atlassian Confluence, Google Docs Viewer, Microsoft OneDrive, OneNote and Dynamics 365 Customer Voice to host phishing links. By embedding malicious URLs within these reputable services, attackers capitalize on the trust users place in them, increasing the likelihood of a successful compromise.

Sophisticated Tactics to Evade Detection

Rockstar 2FA campaigns employ diverse methods to distribute phishing lures. These include:

• Embedded URLs: Links embedded in emails that appear legitimate.
• QR Codes: A modern twist to phishing, bypassing traditional link analysis.
• Document Attachments: Files designed to entice users to click.

To further evade detection, the toolkit incorporates techniques such as antibot checks using Cloudflare Turnstile and legitimate redirectors like URL shorteners and URL rewriting services. These measures help the phishing pages evade antispam filters and automated threat analysis tools.

Mimicking Brands with Precision

Rockstar 2FA's phishing pages are meticulously designed to imitate the login pages of popular services. Despite obfuscation applied to the HTML code, these pages maintain a high degree of authenticity. Once a user enters their credentials, the data is transmitted to an AiTM server in real-time. The collected credentials are then used to extract session cookies, granting attackers access to the victim's account without triggering additional authentication challenges.

A Call for Vigilance

The emergence of Rockstar 2FA underscores the need for organizations and individuals to remain vigilant. Advanced phishing tactics such as AiTM attacks can bypass traditional security measures, making it critical to adopt a multi-layered approach to account protection. Regular user education, along with advanced detection tools, plays a pivotal role in mitigating such threats.