Rockstar 2FA: A Growing Threat in Phishing-as-a-Service

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...
Rockstar 2FA

In recent months, a new PhaaS platform called Rockstar 2FA has been launched, which has the potential to carry out large-scale AiTM attacks owing to its effectiveness.

This platform focuses on Microsoft 365 accounts and is very risky because it bypasses multifactor authentication (MFA)  through session cookie hijacking, thus enabling attackers to compromise accounts even with MFA enabled.

In this article, we will explore the features of Rockstar 2FA, the attack flow that an attacker will go through, the security risks that come with it, and some mitigation techniques that can be put in place to prevent such an attack.

What is Rockstar 2FA?

Rockstar 2FA is an arsenal of phishing resources that constitute the newest generation of PhaaS solutions, which aims to facilitate the creation of sophisticated phishing campaigns by cyber criminals.

Also Read: Phishing Attacks: How to Spot and Prevent Online Scams?

It is an advanced version of the previous phishing kits, such as DadSec and Phoenix, that became active in 2023. This updated platform aims to compromise Microsoft 365 users and other services, including Hotmail, GoDaddy, and Single Sign-On (SSO) platforms.

Rockstar 2FA differs from traditional phishing, avoiding Multifactor Authentication (MFA) through an Advanced  Adversary-in-the-Middle (AiTM) attack. In these attacks, the attacker does not necessarily gain the victim’s login information.

Instead of capturing the credentials, the attacker hijacks the valid session cookies from the victim’s browser after the victim has provided their credentials on a phished login page.

This enables the attacker to bypass the MFA and penetrate the victim’s account without the password or the MFA token.

Key Features of Rockstar 2FA

MFA Bypass

The core advantage of Rockstar 2FA is the ability to steal session cookies. Since unsuspecting victims enter their credentials on a rogue Microsoft 365 page, the AiTM server quickly forwards them to the Microsoft service for actual authentication.

After verifying the validity of the account, a session cookie is returned to the unsuspecting victim’s browser only to be forwarded to the attacker, giving the hacker access to the account.

Low-Cost and Accessible

The pricing model attracts cyber criminals because this 2FA Rockstar will charge $200 for two weeks or $180 for an API renewal.

This makes it easily accessible to everyone and hence has wide use among the threat actors, mainly due to its being distributed on platforms like Telegram, which makes it relatively easy to acquire.

Customizable Phishing Pages

It allows customization and creation of phishing pages by adding branded graphics like logos and background images to make the page more authentic and realistic. This also enables login themes, which multiply their chances of successful phishing.

Obfuscation and Evasion Techniques

Rockstar 2FA uses obfuscated code that will evade detection by security systems. Some of its features include Cloudflare Turnstile Captcha, which filters bot traffic, and fully undetectable FUD links and attachments, making phishing emails much more challenging to identify.

Real-Time Monitoring

The admin panel provides full features, including real-time logging and high-activity reporting. This feature enables the cybercriminal to monitor many metrics in detail, including the total number of compromised accounts, the successfully blocked bots, and the successfully phished attempts.

Attack Flow

The attack usually begins with a phishing email that sends the victim to a phishing login page for Microsoft 365. Some of the most common baits include shared documents, password reset requests, or even some HR- or payroll-related messages.

The victim will get to the fake login page and submit their credentials without knowing that all their login information is caught.

Once the victim’s credentials are submitted, the Rockstar 2FA server sends the credentials to Microsoft’s authentic service. The authentication is finalized, and a session cookie is returned to the victim’s browser.

It is at this point that the attacker catches this session cookie that can be used to bypass MFA and take control of the victim’s account. MFA is still enabled on this account.

Rockstar 2FA Mitigation Strategies

Email Security

Adequate safety can be obtained through sophisticated email filters that differentiate actual phishing messages carrying a malware-laden link or hazardous attachments.

It also involves watching and surveillance at the level of organizational email traffic that can also help recognize suspicious emails with attachments sourced through compromised accounts, even using different marketing emails through an account.

Enhance Multifactor Authentication

Use a hardware token called YubiKey, a more substantial and secure alternative that- tore challenging multifactor authentications that cannot be broken easily like in SMS or app-based conventional methods.

Session Management

Robust and comprehensive session management policies must include automatic timeouts for sessions and re-authentication requirements when performing high-risk actions.

This is crucial because it limits a session cookie’s lifetime and drastically reduces the window of opportunity that the attackers may have to exploit existing vulnerabilities.

User Education

Recurring training programs must help users get accustomed to phishing attempts and the need to report suspicious emails they receive.

Moreover, employees should be taught how to confirm most login pages, and the essential practice of not inputting their credentials on unknown or untrusted sites has to be internalized.

Continuous Monitoring with Comprehensive Logging

Implement real-time monitoring and comprehensive logging to enable effective detection of any suspicious login patterns or instances of failed login attempts.

Using behavior-based anomaly detection tools can go a long way in identifying suspicious access attempts, thus significantly contributing to mitigating potential attacks.

Protect Your Organization with Certera Anti-Phishing Solution

As cybercriminals were able to bypass MFA protections by launching large-scale phishing campaigns, it is essential to stay ahead of them with proactive defense strategies.

Certera Anti-Phishing Solution gives comprehensive protection against sophisticated threats using cutting-edge technology to identify and neutralize phishing attacks before they hit your users.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.