November 29, 2024 at 05:33AM
Researchers warn of a phishing-as-a-service (PhaaS) toolkit, Rockstar 2FA, targeting Microsoft 365 credentials through email campaigns. Utilizing adversary-in-the-middle (AitM) attacks, it bypasses multi-factor authentication (MFA). Promoted features assist cybercriminals in executing campaigns with minimal expertise, leading to significant potential financial losses for victims.
### Meeting Takeaways – Cybercrime / Cloud Security (Nov 29, 2024)
1. **Malicious Email Campaigns**: Researchers have identified phishing campaigns using a toolkit called Rockstar 2FA, which targets Microsoft 365 accounts to steal user credentials.
2. **Adversary-in-the-Middle Attack**: The campaign employs AitM attacks, allowing attackers to intercept credentials and session cookies, making users with multi-factor authentication (MFA) still vulnerable.
3. **Toolkit Overview**: Rockstar 2FA is an updated version of the DadSec phishing toolkit. It is accessible for cybercriminals with little technical ability for a subscription fee ($200 for two weeks, $350 for a month).
4. **Features of Rockstar 2FA**:
– Bypass for two-factor authentication (2FA)
– 2FA cookie harvesting
– Antibot protection
– Customizable login page themes
– Fully undetectable links and Telegram bot integration
– A user-friendly admin panel for managing campaigns
5. **Diverse Access Vectors**: Email campaigns utilize URLs, QR codes, and document attachments, often using compromised accounts for distribution. Lure templates include file-sharing notifications and e-signature requests.
6. **Bypassing Detection**: The phishing toolkit uses various legitimate link services and incorporates Cloudflare Turnstile antibot checks to evade antispam mechanisms.
7. **Use of Legitimate Platforms**: Phishing links are hosted on trusted services like Atlassian, Google Docs, and Microsoft products, taking advantage of established trust.
8. **Phishing Page Design**: The phishing sites closely mimic legitimate brand sign-in pages, and all captured data is sent to AitM servers for credential theft.
9. **Related Campaigns**: Malwarebytes has reported another phishing campaign (Beluga) using .HTM attachments to harvest Microsoft OneDrive credentials.
10. **Fraudulent Financial Schemes**: Ads for fake betting games are designed to trick users into financial loss, with victims reporting losses exceeding $10,000 due to fraudulent apps and websites.
### Next Steps
– Monitor for further developments regarding the Rockstar 2FA toolkit and related phishing tactics.
– Educate teams on recognizing phishing attempts, especially those targeting Microsoft 365 and financial applications.
– Increase awareness of the signs of social engineering and fraudulent applications to minimize risk.