Cybersecurity researchers have identified a concerning link between the advanced phishing toolkit known as ‘Rockstar 2FA’ and a surge in adversary-in-the-middle (AiTM) phishing attacks.
Highly advanced methods are used in these campaigns to trick people into going to fake landing pages that look a lot like real Microsoft 365 (O365) login pages. The primary objective of these pages is to harvest user credentials, making Microsoft accounts the focal point of this ongoing threat.
According to recent findings, there has been a significant increase in phishing activity since August 2024, with the campaign primarily targeting Microsoft user accounts.
What sets this campaign apart is its use of car-themed web pages, with over 5,000 hits on car-themed domains linked to this campaign since May 2024.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Rockstar 2FA
Rockstar 2FA, an updated version of the DadSec/Phoenix phishing kit, operates under a PaaS model, making it easily accessible to cybercriminals.
The kit boasts an array of features, including:
- Two-factor authentication (2FA) bypass
- Harvesting of 2FA cookies
- Antibot protection
- Multiple login page themes
- Randomized source codes and attachments
- Fully undetectable (FUD) links
- Telegram bot integration
- User-friendly admin panel
Alarmingly, Rockstar 2FA is available for as low as US$200 for a two-week subscription service.
“This campaign employs an AiTM attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multifactor authentication (MFA) enabled can still be vulnerable,” Trustwave research said.
The phishing campaigns associated with Rockstar 2FA employ various email delivery mechanisms, including compromised accounts and abused legitimate services. Since these methods originate from trusted sources, traditional filters are less likely to flag them, making them more effective.
.webp "Phishing-as-a-Service Attack Microsoft 365 Accounts Via AiTM Attacks 2")
The attacks have affected users across multiple sectors and regions, using a variety of themes in their phishing messages, such as:
- Document and file-sharing notifications
- E-signature platform-themed messages
- HR and payroll-related messages
- MFA lures
- IT department notifications
- Password/account-related alerts
- Voicemail notifications
To bypass antispam detections, the threat actors utilize various obfuscation methods, FUD links, and even QR codes. To deter automated analysis of their phishing pages, the landing pages utilize Cloudflare Turnstile, a free service that protects websites from unwanted visitors.
During our investigation, researchers identified noteworthy domains ho63sting decoy content on the AiTM server. Accessing these domains also displays the decoy page.
Commodity phishing attacks, such as those associated with Rockstar 2FA, are prevalent due to their low cost and ease of deployment.
By using AiTM techniques, these attacks can get around extra layers of security like multifactor authentication (MFA). This raises the risk of secondary attacks like account takeovers and business email compromise (BEC) attacks.
As Rockstar-led phishing activities continue, cybersecurity experts warn that the threat actors behind this PaaS are likely to keep updating the kit or develop even more advanced phishing tools, posing an ongoing challenge to digital security.
Analyse Advanced Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.