Cybersecurity researchers have issued a warning about a new phishing attack campaign orchestrated using the Phishing-AA-Service (PHAAS) tool known as Rockstar 2FA. The primary aim of these attacks is to steal Microsoft 365 user account data, specifically session cookies.
In a recent report by TRUSTWAVE, it was highlighted that this operation utilizes the “man-in-the-middle” method to intercept account data and session cookies, even among users with multi-factor authentication (MFA) enabled.
Rockstar 2FA is considered to be an upgraded version of DadSec (also known as Phoenix). Microsoft is closely monitoring the developers and distributors of this platform under the codename Storm-1575. The tool is available on a subscription basis, priced at $200 for two weeks or $350 per month, making it accessible to cybercriminals with limited technical skills to carry out large-scale attacks.
Key features of Rockstar 2FA include the ability to bypass two-factor authentication, gather cookies, anti-bot protection, themes that mimic popular service login pages, and integration with Telegram bots. The platform also offers an easy-to-use admin panel for controlling malicious campaigns and link customization.
Cybercriminals employ various methods for initial access, such as URLs, QR codes, and malicious documents. These deceptive messages are often sent from compromised accounts or through spam tools. To evade anti-spam filters, they utilize legitimate URL shortening services, redirects, and protection via Cloudflare Turnstile.
Trustwave points out that attackers place phishing links on trusted platforms like Google Docs Viewer, Atlassian Confluence, and Microsoft OneDrive to enhance the effectiveness of the attacks, as users are less likely to question the legitimacy of such links.
Victims’ data entered on fake pages is swiftly transmitted to the attackers’ server. The stolen accounts are then used to acquire session cookies, granting full access to the account by bypassing multi-factor authentication.
The rise of cybercrime-as-a-service models underscores how the accessibility and user-friendliness of malicious tools can pose a significant threat, even in the hands of novice hackers. Users are advised to remain vigilant when interacting with any online resources, even those that appear trustworthy, to safeguard against such threats.