Summary:
A new phishing-as-a-service platform dubbed "FlowerStorm" is quickly gaining traction, stepping in to replace the now-defunct Rockstar2FA cybercrime service. Rockstar2FA, which was first documented by Trustwave in late November 2024, enabled large-scale adversary-in-the-middle (AiTM) attacks targeting Microsoft 365 credentials. It offered advanced evasion tools, an intuitive interface, and various phishing methods, providing cybercriminals access for $200 every two weeks. Researchers from Sophos, Sean Gallagher and Mark Parsons, revealed that Rockstar2FA suffered a partial infrastructure failure on November 11, 2024, causing several of its pages to become unreachable. Sophos clarified that this disruption was likely due to a technical issue, rather than law enforcement intervention. In the weeks following, FlowerStorm, which had first appeared online in June 2024, began gaining significant popularity. Sophos pointed out that FlowerStorm shares many features with Rockstar2FA, indicating that its operators may have rebranded to minimize exposure and continue their activities.

Security Officer Comments:
According to Sophos, both RockStar2FA and FlowerStorm employ phishing portals that mimic legitimate login pages (e.g., Microsoft) to steal credentials and MFA tokens, relying on backend servers hosted on .ru and .com domains. The HTML structure of their phishing pages is strikingly similar, incorporating random text in comments, Cloudflare "turnstile" security features, and prompts such as "Initializing browser security protocols." Furthermore, the credential harvesting techniques are highly similar, utilizing fields for email, password, and session tracking tokens. Both platforms also support email validation and MFA authentication through their backend systems.

Suggested Corrections:
Sophos' telemetry reveals that approximately 63% of organizations and 84% of users targeted by FlowerStorm are located in the United States. The sectors most commonly affected include services (33%), manufacturing (21%), retail (12%), and financial services (8%). To protect against phishing attacks linked to FlowerStorm, organizations should implement multi-factor authentication with AiTM-resistant FIDO2 tokens, deploy email filtering solutions, and apply DNS filtering to block access to suspicious domains such as .ru, .moscow, and .dev.

Link(s):
https://www.bleepingcomputer.com/ne...shing-service-fills-void-left-by-rockstar2fa/