Researchers noted a significant rise in AiTM phishing attacks linked to the Rockstar 2FA toolkit. This toolkit facilitates bypassing two-factor authentication (2FA), harvesting credentials and 2FA cookies, and typically targets Microsoft 365 users via deceptive car-themed web pages. Rockstar has led to large-scale phishing attacks using sophisticated tactics, techniques, and procedures (TTPs,) including fully undetectable (FUD) links, legitimate link services, email attachments, QR codes, and Cloudflare Turnstile challenges.

The campaign employs various email delivery methods, including compromised accounts and legitimate services like email marketing platforms. These phishing techniques are particularly effective, as they originate from trusted sources, which reduces the chances of detection by standard filters. These attacks have affected users across multiple sectors and regions, rather than targeting a specific group.

The threat actors behind this kit use various templates and themes to effectively launch social engineering attacks, including:

• Document and file-sharing notifications
• E-signature platform-themed messages
• HR and payroll-related messages
• MFA lures
• IT department notifications
• Password/account-related alerts
• Voicemail notifications

Marketing posts from Telegram promote Rockstar 2FA’s various features, including anti-bot protection, multiple login page themes, randomized source codes and attachments, Telegram bot integration, and a user-friendly admin panel. Rockstar 2FA is offered for as little as $200 for a two-week subscription service and provides options for monthly subscriptions and one-time payment alternatives.

Since May 2024, urlscan.io has recorded over 3,700 hits related to a campaign using the URL format “hxxps?:\/\/{URLDOMAIN}\/{RANDOM_4-5_LETTERS}\/,” and observations continue to rise. Given the ongoing phishing activities linked to Rockstar, threat actors will likely update this phishing kit or create more advanced versions.

Recommendations

• Educate yourself and others about these and similar scams.
• Refrain from clicking on links and attachments delivered via emails or social media messages.
• Avoid clicking links or acting on unsolicited text messages or emails and refrain from divulging sensitive information or providing funds.
• Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats.
• Keep systems up to date and apply patches after appropriate testing.
• Use strong, unique passwords and enable MFA for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Use email filters and consider monitoring Telegram and other dark web activity to track PhaaS TTPs.
• Ingest IOCs found in the Trustwave blog posts (1, 2, 3 ) into endpoint security solutions and consider leveraging behavior-based detection tools rather than signature-based tools.