- Security researchers from Trustwave discover new phishing kit capable of stealing Microsoft 365 accounts
- Rockstar 2FA can relay MFA codes and obtain session cookies
- The service is being offered on the dark web for just $200
There is a worrying new phishing kit that enables cybercriminals to go after people’s Microsoft 365 accounts, even those protected by multi-factor authentication (MFA). It is called “Rockstar 2FA”, and it goes for $200 on the dark web.
Cybersecurity researchers from Trustwave recently discovered, and analyzed the new kit, noting how since August 2024, it has been aggressively promoted on Telegram and among other cybercriminal communities.
The kit’s developers claim it supports Microsoft 365, Hotmail, GoDaddy, SSO, and offers randomized source code and links to evade detection. Furthermore, it uses Cloudflare Turnstile Captcha to screen the victims and make sure it’s not sandboxed or analyzed by bots.
Bypassing MFA and stealing cookies
Phishing, as a method of attack, hasn’t changed much over the years. Crooks send out emails with fake documents, or fabricate urgent warnings the users need to address immediately, or face the consequences. As a result of hasty actions, the victims end up infecting their devices with malware, losing sensitive data, granting valuable access to cybercriminals, and more.
To counter this method, most businesses these days deploy multi-factor authentication , a second layer of authentication that prevents unauthorized access, even when the crooks steal the login credentials. Criminals, on the other hand, responded by creating adversary-in-the-middle (AiTM) methodology, something Rockstar 2FA integrated, as well.
By using the phishing kit, the attackers can create fake Microsoft 365 login pages. When the victim enters their credentials there, they are automatically relayed to the legitimate login page, which then returns the request for MFA. The phishing page returns that request back to the victim, ultimately leading to the account being compromised.
Finally, Rockstar 2FA will grab the authentication cookie being sent from the service to the user, allowing the attackers to remain logged in.
Since May 2024, which seems to be the kit’s date of origin, it set up more than 5,000 phishing domains, the researchers concluded.
Via BleepingComputer