Conversation

TrustWave did a great job of outlining the operations of Rockstar2FA, a phishing-as-a-service platform with the ability to capture second-factor authentication tokens, a few weeks ago. But just before their report went out, Rockstar did a stage dive: most of their back-end infrastrucure got disconnected from Cloudflare's CDN. Given that they had started hosting a whole bunch of their phishing portals on Cloudflare itself through the pages.dev service, that was not good for them; abusing Cloudflare is a key element of their operations.

While they've been floundering, we saw another phish service with very similar TTPs step up their operations. At least one researcher had been tracking this group as "FlowerStorm." It's clear from our analysis of their front-end stuff that FlowerStorm and Rockstar share at least a common ancestor, if they're not just outright stealing code from each other or are somehow connected.

FlowerStorm has some subtle differences in their operation. We've done an analysis of those in a blot I pushed out today with the help of Mark Parsons, Johua Rawles, Mark Parsons, Jordon Olness, and Colin Cowie. We're continuing to dig into Flowerstorm as they've made some OpSec boo-boos, but never stop your enemy when they're making a mistake.

Read the report here: https://news.sophos.com/en-us/2024/12/19/phishing-platform-rockstar-2fa-trips-and-flowerstorm-picks-up-the-pieces/