Cybersecurity researchers are warning about malicious e-mail campaigns leveraging a phishing-as-a-service (PhaaS) toolkit referred to as Rockstar 2FA with an goal to steal Microsoft 365 account credentials.
“This campaign employs an AitM [adversary-in-the-middle] attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multi-factor authentication (MFA) enabled can still be vulnerable,” Trustwave researchers Diana Solomon and John Kevin Adriano stated.
Rockstar 2FA is assessed to be an up to date model of the DadSec (aka Phoenix) phishing equipment. Microsoft is monitoring the builders and distributors of the Dadsec PhaaS platform beneath the moniker Storm-1575.
Like its predecessors, the phishing equipment is marketed through providers like ICQ, Telegram, and Mail.ru beneath a subscription mannequin for $200 for 2 weeks (or $350 for a month), permitting cyber criminals with little-to-no technical experience to mount campaigns at scale.
A few of the promoted options of Rockstar 2FA embrace two-factor authentication (2FA) bypass, 2FA cookie harvesting, antibot safety, login web page themes mimicking standard providers, absolutely undetectable (FUD) hyperlinks, and Telegram bot integration.
It additionally claims to have a “modern, user-friendly admin panel” that permits prospects to trace the standing of their phishing campaigns, generate URLs and attachments, and even personalize themes which can be utilized to the created hyperlinks.
E mail campaigns noticed by Trustwave leverage various preliminary entry vectors corresponding to URLs, QR codes, and doc attachments, that are embedded inside messages despatched from compromised accounts or spamming instruments. The emails make use of assorted lure templates starting from file-sharing notifications to requests for e-signatures.
Apart from utilizing respectable hyperlink redirectors (e.g., shortened URLs, open redirects, URL safety providers, or URL rewriting providers) as a mechanism to bypass antispam detection, the equipment incorporates antibot checks utilizing Cloudflare Turnstile in an try to discourage automated evaluation of the AitM phishing pages.
Trustwave stated it noticed the platform using respectable providers like Atlassian Confluence, Google Docs Viewer, LiveAgent, and Microsoft OneDrive, OneNote, and Dynamics 365 Buyer Voice to host the phishing hyperlinks, highlighting that menace actors are making the most of the belief that comes with such platforms.
“The phishing page design closely resembles the sign-in page of the brand being imitated despite numerous obfuscations applied to the HTML code,” the researchers stated. “All the data provided by the user on the phishing page is immediately sent to the AiTM server. The exfiltrated credentials are then used to retrieve the session cookie of the target account.”
The disclosure comes as Malwarebytes detailed a phishing marketing campaign dubbed Beluga that employs .HTM attachments to dupe e-mail recipients into coming into their Microsoft OneDrive credentials on a bogus login type, that are then exfiltrated to a Telegram bot.
Phishing hyperlinks and misleading betting sport advertisements on social media have additionally been discovered to push adware apps like MobiDash in addition to fraudulent monetary apps that steal private knowledge and cash beneath the guise of promising fast returns.
“The betting games advertised are presented as legitimate opportunities to win money, but they are carefully designed to trick users into depositing funds, which they may never see again,” Group-IB CERT analyst Mahmoud Mosaad stated.
“Through these fraudulent apps and websites, scammers would steal both personal and financial information from users during the registration process. Victims can suffer significant financial losses, with some reporting losses of more than US$10,000.”
