Cybersecurity researchers are warning about malicious e-mail campaigns leveraging a phishing-as-a-service (PhaaS) toolkit referred to as Rockstar 2FA with an intention to steal Microsoft 365 account credentials.
“This marketing campaign employs an AitM [adversary-in-the-middle] assault, permitting attackers to intercept consumer credentials and session cookies, which signifies that even customers with multi-factor authentication (MFA) enabled can nonetheless be susceptible,” Trustwave researchers Diana Solomon and John Kevin Adriano stated.
Rockstar 2FA is assessed to be an up to date model of the DadSec (aka Phoenix) phishing equipment. Microsoft is monitoring the builders and distributors of the Dadsec PhaaS platform underneath the moniker Storm-1575.
Like its predecessors, the phishing equipment is marketed through companies like ICQ, Telegram, and Mail.ru underneath a subscription mannequin for $200 for 2 weeks (or $350 for a month), permitting cyber criminals with little-to-no technical experience to mount campaigns at scale.
A number of the promoted options of Rockstar 2FA embody two-factor authentication (2FA) bypass, 2FA cookie harvesting, antibot safety, login web page themes mimicking standard companies, totally undetectable (FUD) hyperlinks, and Telegram bot integration.
It additionally claims to have a “trendy, user-friendly admin panel” that permits prospects to trace the standing of their phishing campaigns, generate URLs and attachments, and even personalize themes which are utilized to the created hyperlinks.
Electronic mail campaigns noticed by Trustwave leverage numerous preliminary entry vectors akin to URLs, QR codes, and doc attachments, that are embedded inside messages despatched from compromised accounts or spamming instruments. The emails make use of varied lure templates starting from file-sharing notifications to requests for e-signatures.
Moreover utilizing respectable hyperlink redirectors (e.g., shortened URLs, open redirects, URL safety companies, or URL rewriting companies) as a mechanism to bypass antispam detection, the equipment incorporates antibot checks utilizing Cloudflare Turnstile in an try to discourage automated evaluation of the AitM phishing pages.
Trustwave stated it noticed the platform using respectable companies like Atlassian Confluence, Google Docs Viewer, LiveAgent, and Microsoft OneDrive, OneNote, and Dynamics 365 Buyer Voice to host the phishing hyperlinks, highlighting that risk actors are making the most of the belief that comes with such platforms.
“The phishing web page design carefully resembles the sign-in web page of the model being imitated regardless of quite a few obfuscations utilized to the HTML code,” the researchers stated. “All the information offered by the consumer on the phishing web page is straight away despatched to the AiTM server. The exfiltrated credentials are then used to retrieve the session cookie of the goal account.”
The disclosure comes as Malwarebytes detailed a phishing marketing campaign dubbed Beluga that employs .HTM attachments to dupe e-mail recipients into coming into their Microsoft OneDrive credentials on a bogus login kind, that are then exfiltrated to a Telegram bot.
Phishing hyperlinks and misleading betting recreation advertisements on social media have additionally been discovered to push adware apps like MobiDash in addition to fraudulent monetary apps that steal private knowledge and cash underneath the guise of promising fast returns.
“The betting video games marketed are offered as respectable alternatives to win cash, however they’re rigorously designed to trick customers into depositing funds, which they might by no means see once more,” Group-IB CERT analyst Mahmoud Mosaad stated.
“By these fraudulent apps and web sites, scammers would steal each private and monetary info from customers in the course of the registration course of. Victims can undergo vital monetary losses, with some reporting losses of greater than US$10,000.”
