In our subscription-saturated world, perhaps it’s no surprise that a category called phishing-as-a-service (PaaS) is made just to serve malicious actors looking for a simple way to execute sophisticated phishing and two-factor authentication (2FA) bypass attacks. These kits are popular because they provide easy-to-use interfaces, instructions, and inexpensive subscription costs so bad actors can deploy phishing campaigns with much less effort. 

Among the different PaaS products, Rockstar is a recent kit linked to a proliferation of adversary-in-the-middle (AiTM) phishing attacks targeting Microsoft and Google users. 

Learn more about the techniques used by Rockstar 2FA and strategies to defend your organization against it. 

What is Rockstar 2FA?

Rockstar 2FA is an updated version of the DadSec phishing kit, operated by a threat actor tracked by Microsoft as Storm-1575. The product employs adversary-in-the-middle (AiTM) techniques to intercept user credentials and session cookies, effectively circumventing multi-factor authentication protections.

Key capabilities of the platform include:

• 2FA bypass functionality
• Anti-bot protection to filter out automated bots and security systems, ensuring only legitimate users reach the phishing page
• Multiple login page themes to provide flexibility in crafting convincing landing pages for phishing attacks
• Randomized source codes and attachments to make detection more challenging
• Fully undetectable (FUD) links to bypass URL-based detection systems
• Telegram bot integration for easy administrative management and monitoring of phishing campaigns

All this for the low cost of $200. You can probably see why this PaaS product appeals to malicious actors looking for an easy way to profit from phishing attacks. 

How does Rockstar 2FA execute AiTM attacks?

Understanding Rockstar 2FA's attack methodology is crucial for implementing effective defenses. Trustwave SpiderLabs' research shows that the attack chain consists of multiple stages designed to evade detection while harvesting credentials and session tokens.

Initial Access: Phishing Emails

The attack begins with a phishing email designed to entice the target user to click on a malicious link. These emails often employ convincing themes and templates, such as:

• Document and file-sharing notifications
• E-signature platform-themed messages
• HR and payroll-related messages
• IT department notifications
• Password/account-related alerts
• Voicemail notifications

User Engagement: FUD Links, Redirection, and Anti-Bot Protection

According to Forbes, this is one of the most heavily marketed aspects of Rockstar 2FA kit. To evade detection technologies, the phishing emails sent to users utilize FUD links. These links employ tactics like:

• Link Redirectors: Shortened URLs, open redirects, URL protection services, or URL rewriting services to mask the final phishing destination.
• Abuse of Legitimate Services: Leveraging trusted sites like OneDrive, OneNote, Google Docs Viewer, Atlassian Confluence, and LiveAgent to host phishing content or redirect users.
• QR Codes (Quishing): Embedding the malicious URL within a QR code, often included in attachments or the email body, bypassing detection systems focusing on visible links. 

Upon clicking the link, the user is redirected to a landing page that often includes a Cloudflare Turnstile challenge. In an ironic twist, a free service provided by Cloudflare originally intended to protect websites from bots are being deployed by threat actors to filter out bots so that only legitimate users can reach their phishing page. 

Attack Execution: Phishing Pages, Decoy Pages, and Session Cookie Theft

After passing the Turnstile challenge, the user is presented with a phishing page that closely mimics the legitimate login page of the targeted service, typically Microsoft 365. In some instances, users may be redirected to a decoy page with car-related content instead of the phishing page. 

When the user submits their credentials, the information is sent to the attacker's AiTM server. The attacker then uses these credentials to retrieve the user's session cookie. This cookie grants the attacker access to the user's account without needing their password or 2FA code in future login attempts. 

Yikes. 

How to Defend Against Rockstar 2FA’s Exploit Techniques

Rockstar 2FA is not the first PaaS kit to exploit the vulnerabilities of legacy multi-factor authentication (MFA). However, their proliferation underscores the increasing urgency of organizations to move away from weak 2FA or MFA factors because, at this point, it’s nowhere near secure enough.

A complete defense does not rely on end-users doing the right thing by not clicking the link or falling for the scam. According to a sobering statistic from KnowB4, 4.69% of end-users will continue to click malicious links even after training. At the end of the day, it just takes one attack to be successfully executed against your environment.

The way to enforce complete defense against this type of attacks is to:

1. Eliminate phishable factors: What doesn’t exist cannot be stolen. Instead of weak, phishable factors like passwords, security questions, one-time passcodes (OTP), and push notifications, device-bound digital signatures (passkeys) can be deployed to provide out-of-box defense against phishing attacks. 
2. Enforce verifier impersonation resistance: Recognizing that users will always click on malicious links, it’s important to implement solutions that do not rely on human perception to validate the legitimacy of access requests. The way to implement this is by programmatically verifying the origin of access requests and ensuring that they come from an authorized and legitimate service. 
3. Use hardware-backed credentials: The secure enclaves or trusted platform modules of modern devices allow for safe creation and use of public key credentials (or passkeys). The private key used for authentication in this setup is stored within the hardware component of the user’s device and never shared across the internet, making it inaccessible to attackers. This approach guarantees that private keys are not discoverable and cannot exist outside the secure hardware component, providing the strongest defense available against phishing and other credential theft attacks.

Beyond Identity provides phishing-resistant MFA using device-bound, hardware-backed passkeys with verifier impersonation resistance by default. What’s more, unique to us, we allow you to easily and universally deploy phishing-resistant MFA across all commonly used operating systems, including Linux and ChromeOS. 

Given that our platform is engineered from the ground up to eliminate identity and device-based threats, we can provide security guarantees against attacks such as phishing and AiTM, as executed by Rockstar 2FA and other PaaS kits. 

If you want learn more about how we technically deliver on these guarantees, you can visit our Guarantees page. Or if seeing is believing for you, get a demo of our secure access platform.