A recent technical failure in the Rockstar 2FA phishing-as-a-service (PhaaS) platform has resulted in increased activity from a newer service called FlowerStorm. According to Sophos’s latest report, Rockstar 2FA’s infrastructure partially collapsed due to technical issues rather than law enforcement action.
Rockstar 2FA, initially identified by Trustwave, is a sophisticated PhaaS platform targeting Microsoft 365 credentials and session cookies, effectively bypassing MFA security measures. The service, an evolution of the DadSec phishing kit (also known as Storm-1575), primarily operated through .com, .de, .ru, and .moscow domains.
Following Rockstar 2FA’s disruption on November 11, 2024, FlowerStorm, operational since June 2024, has seen significant growth. Both services share notable similarities in their phishing portal designs and backend credential harvesting methods, suggesting possible connections. They both utilize Cloudflare Turnstile for bot prevention, though direct links between the services remain unconfirmed.
FlowerStorm primarily targets users in the United States, Canada, United Kingdom, Australia, and several European countries. The service industry, particularly engineering, construction, real estate, and legal services sectors, faces the highest threat levels.
This development highlights the growing trend of cybercriminals utilizing ready-made tools and services to conduct large-scale attacks without requiring extensive technical knowledge.