Cybercrime
,
Fraud Management & Cybercrime
Infrastructure Problems Blamed; Users Appear to Move to Similar FlowerStorm Service
As the end of the year approaches, it’s out with the old and in with the new, not least on the cybercrime front.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Once high-flying cybercrime-as-a-service operation Rockstar 2FA, delivering prolific phishing-as-a-service hits, has crashed and burned, according to cybersecurity firm Sophos. Following service problems, subscribers appear to have moved to another, possibly related operation that researchers have dubbed FlowerStorm.
Phishing-as-a-service kits help would-be criminals remove the drudgery of having to create from scratch their own real-looking login screens and backend phishing infrastructure. While Rockstar 2FA or Rockstar2FA debuted in late 2023, attacks tied to the toolkit surged in August, cybersecurity firm Trustwave SpiderLabs reported last month. Those attacks largely directed potential victims to fake Microsoft 365 or Office 365 log-in pages, and unusually many of those landing pages sported an automotive theme. Some of the attacks also involved the use of malicious QR codes designed to bypass security tools and route users to attacker-controlled phishing sites.
PaaS kits market themselves based on ease of use and value for money, and so too advertisements for Rockstar 2FA trumpeted users’ ability to control phishing campaigns through a Telegram bot providing a dedicated admin panel. It touted its ability to generate URLs and attachments for sending to targets, as well as customized themes.
“Marketing posts from Telegram showcase Rockstar 2FA’s various features, including two-factor authentication (2FA) bypass, harvesting of 2FA cookies, antibot protection, multiple login page themes, randomized source codes and attachments, fully undetectable (FUD) links, Telegram bot integration and a user-friendly admin panel, among others,” SpiderLabs said.
Pricing started at $200 for a two-week subscription, $180 for a two-week API renewal – for users to access the PaaS back-end infrastructure – as well as various one-time or monthly subscription options.
Any victims who visited a URL delivered in the attacks would be directed to a real-looking login page designed to steal their credentials, hosted on a third-party server. “These back-end servers were largely on .ru
, .de
and .moscow
registered domains,” Sophos said. “The decoy pages were frequently hosted on the same hosts as the back-end servers.”
Rockstar 2FA Offline
Just one problem for Rockstar 2FA and its criminally inclined subscribers: the entire operation appeared to go belly-up on Nov. 11, Sophos said. “Elements of the phishing service’s infrastructure are now no longer reachable, returning an HTTP 522 response – indicating that they were cut off from the Cloudflare content delivery network,” it said. “Telegram channels associated with command and control of the service also appear to have gone offline.”
The decline and fall of any illicit service begs the question of whether law enforcement or rivals might have penetrated and disrupted the service. Sophos said that doesn’t appear to be the case. Researchers said they’ve seen repeat efforts by the operation’s developers to restore service, so far without success. “This may be because of a web hosting problem or some other technical issue plaguing the Rockstar 2FA operators,” they said. “The fact that the Telegram bots used to run the service also appear to be down suggests there is some larger sort of disruption to the operation.”
By Nov. 22, or 10 days after the outage began, Sophos said it tracked a surge in activity tied to FlowerStorm, which appears to have first launched in June, and which displays a number of similarities to RockStar 2FA, including in the way that it attempts to abuse Cloudflare’s content delivery network. While other phishing toolkits have offered such functionality, “the structure of FlowerStorm and Rockstar phishing portals suggests at least a common ancestry,” and may even extend to “a shared infrastructure,” it said.
The service isn’t officially known as FlowerStorm. Rather, that’s a name chosen by security researchers who appropriate Microsoft’s “Storm” codename for emerging groups and merge it with operators’ penchant for using HTML titles for its web pages bearing the names of flowers such as IvyLeaf, ElderBlossom, NectarineBlossom and PeachLeaf.
FlowerStorm appears to have been unready for its surge in users. “The rapid ramp-up of FlowerStorm has led to some mistakes and misconfigurations in their operations that have allowed them to also easily be disrupted,” Sophos said. “Those mistakes have also provided us with an opportunity to more closely examine their back-end operations.”
The top targets for users of FlowerStorm have recently been employees of U.S. organizations, who account for 65% of targets, followed by employees of organizations based in Canada at 9%, the United Kingdom at 5%, Australia at 4%, Italy and Switzerland at 3% and Germany at 1%. “Beyond those locations, Singapore, India, Israel, New Zealand and the United Arab Emirates make up the remaining 5% of targets,” it said.
Life After DadSec, Phoenix
If Rockstar 2FA is tied to FlowerStorm, it wouldn’t be the first time one online criminal service has been closely related to another. Researchers said the Rockstar 2FA phishing kit appears to be an update of both the DadSec phishing kit, which launched in May 2023, as well as Phoenix, which launched in late 2023.
Microsoft tracks DadSec using the codename Storm-1575 and in October 2023 reported that the operation was “responsible for some of the highest volumes of phishing attacks tracked by Microsoft since it was initially seen in May 2023.
Key to DadSec’s popularity was its “open registration process that lets large numbers of actors easily launch campaigns using ready-built phishing pages and domains,” Microsoft said.
Researchers say many phishing kits are used for multi-stage, adversary-in-the-middle – aka AiTM – attacks, designed to bridge multiple organizations, oftentimes in pursuit of business email compromise schemes.
“Adversary-in-the-middle is a type of attack that aims to intercept authentication between users and a legitimate authentication service for the purpose of compromising identities or performing other actions,” Microsoft said.
In some cases, attackers use a compromised email account inside one organization in pursuit of high-value targets both inside and outside the same organization, it said. Such phishing communications coming from a legitimate – albeit compromised – email account can make them more difficult for a recipient to spot.