Cybersecurity researchers are warning about malicious electronic mail campaigns leveraging a phishing-as-a-service (PhaaS) toolkit known as Rockstar 2FA with an goal to steal Microsoft 365 account credentials.
“This marketing campaign employs an AitM [adversary-in-the-middle] assault, permitting attackers to intercept person credentials and session cookies, which implies that even customers with multi-factor authentication (MFA) enabled can nonetheless be susceptible,” Trustwave researchers Diana Solomon and John Kevin Adriano stated.
Rockstar 2FA is assessed to be an up to date model of the DadSec (aka Phoenix) phishing package. Microsoft is monitoring the builders and distributors of the Dadsec PhaaS platform underneath the moniker Storm-1575.
Like its predecessors, the phishing package is marketed by way of providers like ICQ, Telegram, and Mail.ru underneath a subscription mannequin for $200 for 2 weeks (or $350 for a month), permitting cyber criminals with little-to-no technical experience to mount campaigns at scale.
A few of the promoted options of Rockstar 2FA embrace two-factor authentication (2FA) bypass, 2FA cookie harvesting, antibot safety, login web page themes mimicking widespread providers, absolutely undetectable (FUD) hyperlinks, and Telegram bot integration.
It additionally claims to have a “fashionable, user-friendly admin panel” that permits prospects to trace the standing of their phishing campaigns, generate URLs and attachments, and even personalize themes which are utilized to the created hyperlinks.
E mail campaigns noticed by Trustwave leverage various preliminary entry vectors resembling URLs, QR codes, and doc attachments, that are embedded inside messages despatched from compromised accounts or spamming instruments. The emails make use of assorted lure templates starting from file-sharing notifications to requests for e-signatures.
Apart from utilizing reputable hyperlink redirectors (e.g., shortened URLs, open redirects, URL safety providers, or URL rewriting providers) as a mechanism to bypass antispam detection, the package incorporates antibot checks utilizing Cloudflare Turnstile in an try to discourage automated evaluation of the AitM phishing pages.
Trustwave stated it noticed the platform using reputable providers like Atlassian Confluence, Google Docs Viewer, LiveAgent, and Microsoft OneDrive, OneNote, and Dynamics 365 Buyer Voice to host the phishing hyperlinks, highlighting that menace actors are profiting from the belief that comes with such platforms.
“The phishing web page design carefully resembles the sign-in web page of the model being imitated regardless of quite a few obfuscations utilized to the HTML code,” the researchers stated. “All the information supplied by the person on the phishing web page is instantly despatched to the AiTM server. The exfiltrated credentials are then used to retrieve the session cookie of the goal account.”
The disclosure comes as Malwarebytes detailed a phishing marketing campaign dubbed Beluga that employs .HTM attachments to dupe electronic mail recipients into getting into their Microsoft OneDrive credentials on a bogus login type, that are then exfiltrated to a Telegram bot.
Phishing hyperlinks and misleading betting recreation advertisements on social media have additionally been discovered to push adware apps like MobiDash in addition to fraudulent monetary apps that steal private knowledge and cash underneath the guise of promising fast returns.
“The betting video games marketed are offered as reputable alternatives to win cash, however they’re rigorously designed to trick customers into depositing funds, which they could by no means see once more,” Group-IB CERT analyst Mahmoud Mosaad stated.
“By these fraudulent apps and web sites, scammers would steal each private and monetary info from customers in the course of the registration course of. Victims can endure vital monetary losses, with some reporting losses of greater than US$10,000.”