Cybersecurity experts are alerting people about harmful email campaigns using a phishing tool called Rockstar 2FA, which aims to steal Microsoft 365 account information. This campaign utilizes an adversary-in-the-middle (AitM) attack, allowing hackers to capture user credentials and session cookies. This means that even users with multi-factor authentication (MFA) can still be at risk, according to Trustwave researchers Diana Solomon and John Kevin Adriano. Rockstar 2FA is seen as a newer version of the DadSec phishing kit. Microsoft is monitoring the creators and sellers of the Dadsec platform under the name Storm-1575.
Like earlier kits, this one is advertised on services like ICQ, Telegram, and Mail.ru, with a subscription cost of $200 for two weeks or $350 for a month. This pricing allows cybercriminals with little technical skill to launch large-scale attacks. Some features of Rockstar 2FA include the ability to bypass two-factor authentication, harvest 2FA cookies, protect against bots, mimic popular service login pages, and provide undetectable links, along with integration with Telegram bots.
The tool claims to offer an easy-to-use admin panel, enabling users to monitor their phishing campaigns, create URLs and attachments, and personalize themes for their links. Trustwave has identified various ways these email campaigns gain initial access, such as through URLs, QR codes, and document attachments. These messages often come from hacked accounts or spam tools and use different lure templates, including file-sharing notifications and requests for electronic signatures.
The kit uses real link redirectors, such as shortened URLs and URL protection services, to evade antispam detection. It also includes antibot measures with Cloudflare Turnstile to prevent automated analysis of its phishing pages. Trustwave noted that the creators of these attacks use legitimate platforms like Atlassian Confluence, Google Docs Viewer, LiveAgent, and Microsoft services to host their phishing links, taking advantage of the trust people have in these sites.
Researchers pointed out that the phishing pages look very similar to the official sign-in pages of the brands they are copying, despite various attempts to hide this through complicated HTML code. Any information entered by users on these phishing sites is quickly sent to the attackers’ servers, where stolen credentials are used to access the victim’s session cookie.
Additionally, Malwarebytes reported on a phishing scheme called Beluga, which tricks users into revealing their Microsoft OneDrive credentials through email attachments. These credentials are then sent to a Telegram bot. Phishing links and fake betting game ads on social media have been found promoting adware apps like MobiDash and fake financial apps that steal personal information while pretending to offer quick financial gains.
An analyst from Group-IB CERT, Mahmoud Mosaad, explained that the advertised betting games are designed to look like real chances to win money but aim to trick users into depositing funds that they may never get back. Through these fake apps and websites, scammers collect both personal and financial information from users during sign-up. Victims can face heavy financial losses, with some reporting losses exceeding $10,000.