Rockstar 2FA: How Hackers Bypass Multi-Factor Authentication in Two Clicks
Cybersecurity experts are raising the alarm over a new wave of phishing attacks leveraging a Phishing-as-a-Service (PhaaS) tool known as Rockstar 2FA. These attacks aim to steal Microsoft 365 user accounts and session cookies, even from users protected by multi-factor authentication (MFA).
How Rockstar 2FA Works
In a recent report from Trustwave, researchers highlighted the use of an advanced phishing technique called Adversary-in-the-Middle (AiTM). This method enables attackers to intercept login credentials and session cookies from users with MFA enabled.
Rockstar 2FA builds on its predecessor, the DadSec or Phoenix phishing kit. Microsoft identifies its developers and distributors under the codename Storm-1575. The kit is sold via subscription, making sophisticated phishing tools accessible to cybercriminals without advanced technical skills:
- Two-week subscription: $200
- Monthly subscription: $350
Features of Rockstar 2FA
The toolkit boasts a wide range of capabilities:
- MFA bypass: Enables hackers to overcome multi-factor authentication.
- Cookie theft: Facilitates the collection of session cookies for full account access.
- Anti-bot protection: Helps evade detection mechanisms.
- Realistic login page themes: Mimics popular services to trick users.
- Telegram bot integration: Provides real-time updates and alerts to attackers.
- User-friendly admin panel: Simplifies management of phishing campaigns and link customization.
Methods of Attack
Hackers using Rockstar 2FA employ various tactics to initiate attacks:
- Delivery channels: URLs, QR codes, or attached documents.
- Compromised accounts: Messages often come from already breached accounts to appear legitimate.
- Anti-spam evasion: Techniques include URL shorteners, redirects, and Cloudflare Turnstile protection.
Phishing links are frequently hosted on trusted platforms such as Google Docs Viewer, Atlassian Confluence, or Microsoft OneDrive, exploiting users’ confidence in these services.
What Happens to Victim Data?
When a victim enters their credentials on a phishing page:
- The information is instantly transmitted to the attacker’s server.
- Session cookies are stolen, enabling hackers to bypass MFA and gain unrestricted access to the account.
Implications and Countermeasures
The rise of cybercrime as a service highlights the growing accessibility of malicious tools to inexperienced hackers, amplifying their potential threat.
How to Protect Yourself:
- Verify URLs carefully: Even links from trusted platforms could be malicious.
- Enable advanced security measures: Use modern MFA options, such as hardware security keys.
- Be cautious with unsolicited messages: Avoid clicking on links or downloading attachments from unknown sources.
- Educate yourself and your team: Stay informed about the latest phishing tactics.
- Report suspicious activity: Alert your organization’s IT team or the appropriate authorities if you suspect an attack.
Constant vigilance and awareness are crucial to staying ahead of evolving cyber threats, even when interacting with seemingly legitimate resources.