Update, Nov. 30, 2024: This story, originally published Nov. 29 now includes more information about how hackers are able to bypass your two-factor authentication security protection during attacks such as those using the Rockstar 2FA exploit kit.
That annoying Nickelback song, aren’t they all, that goes “we all just wanna be big rockstars, and live in hilltop houses driving 15 cars” seems strangely appropriate right now, with the news that the Rockstar 2FA phishing-as-a-service exploit kit is using Microsoft OneDrive and OneNote along with Google Docs in an effort to bypass 2FA on target systems. Here’s what we know.
The Rockstar 2FA Exploit Kit Explained
A widespread threat campaign, employing an attacker-in-the-middle approach to stealing session cookies and so bypassing two-factor authentication protections, has been seen using the Rockstar 2FA phishing-as-a-service kit, according to a newly published report by Trustwave SpiderLabs security researchers Diana Solomon and John Kevin Adriano. “Microsoft user accounts are the prime target of these campaigns,” the researchers said, “as target users will be redirected to landing pages designed to mimic Microsoft 365 login pages.” However, both Google and Microsoft users are in the threat crosshairs when it comes to the Rockstar 2FA attack methodology.
Rockstar 2FA, an updated version of the DadSec phishing kit, is known to be used by a threat actor tracked as Storm-1575. Crucially, Storm-1575 is known to have been behind some of the most prolific phishing campaigns during 2023 with the DadSec kit at the heart of it all. With thousands of subscribers to the various underground channels where the updated Rockstar 2FA kit is being rented, the risk this year and beyond is easy to comprehend. “With these platforms,” the researchers said, “the kit becomes easily accessible for other cybercriminals seeking to acquire easy-to-set up phishing tools.”
With subscription rates for Rockstar 2FA starting at $200 for a two weeks of access, and one-off as well as monthly subscriptions also available, the exploit kit is fully packed: beyond the two-factor authentication bypass functionality, Rockstar 2FA also offers criminal hackers antibot protection, multiple login page themes, randomized source codes and attachments, fully undetectable links, telegram bot integration and a user-friendly admin panel, the researchers said.
Rockstar 2FA Attack Methodology
The generation of fully undetectable, or FUD, links in phishing campaigns is one of the most marketed aspects of Rockstar 2FA. “These FUD links are specifically crafted to evade URL-based detection systems,” the researchers said, “which usually only examine the initial link to determine malicious intent.” This means, in practical terms, that link redirectors including URL protection services and link shorteners, are employed along with the abuse of legitimate and trusted sites.
The Trustwave SpiderLabs researchers gave multiple examples, including the three methods highlighted below, of how the Rockstar 2FA kit is used.
Microsoft: OneDrive
This used a new method of URL redirection by way of OneDrive to host the URL shortcut files. “In this case,” Trustwave said, “unsuspecting users who click on the .url file are automatically redirected to the phishing landing page via a new browser tab.” It’s a seamless redirection technique that effectively hides the actual destination URL from the user.
Microsoft: OneNote
The attackers use a document-themed lure where the body text is actually contained within an image. “The image is anchored with a link to a OneNote document,” the researchers explained, “this image-based approach helps attackers evade text-based detection mechanisms.”
Google: Docs Viewer
This is another variant of the document-sharing theme exploited by the Rockstar 2FA attackers. “A Google Docs Viewer link in the email is used to render a malicious PDF file hosted on an external site,” the researchers said, “phishers have started abusing this feature that allows users to embed PDF and PowerPoint files in a webpage.”
The Methods Used By Hackers, Including Those Behind The Rockstar 2FA Kit, To Bypass Two-Factor Authentication Security Protections
One of the most common questions asked by victims who find their accounts, for whatever service or site that might be compromised, login credentials changed, and data accessed, is how did the hacker get past my two-factor authentication? This is, to be honest, a very reasonable question when you consider that 2FA, or multi-factor authentication which is shortened to MFA, is meant to protect you from precisely such a situation when someone has managed to compromise your username and password. The recommendation to enable 2FA wherever it is available is not diluted by the fact that some attackers can, in some circumstances, bypass these protections. Being aware of how they manage to do this is the most essential thing as it could save you from becoming yet another victim.
In order to bypass your 2FA account protection, most attacks seek to redirect the target user by way of a phishing attack or some form of social engineering that lands them on a legitimate-looking site where they are asked to input their login credentials. When the user enters their 2FA code, the attacker might make use of the functionality of the exploit being employed to intercept the authentication token, or better still the session cookie. The latter does pretty much what you might imagine: it flags the user session as fully authorized, because it has been. However, if you have the session cookie you can re-run that session at your leisure, and still be treated as the authenticated user.
“When victims fall prey to these multi-factor authentication bypass phishing attacks,” Max Gannon, cyber intelligence analysis manager at Cofense, said, “they effectively log themselves in and authorize the access that MFA simply can’t protect against.” It’s not a failure on the part of the 2FA mechanism itself as the credentials being input are genuine enough. “These kits essentially reset the phishing arms race to where we were before the advent of MFA,” Gannon concluded, “where the key factor to preventing account compromise is the person being phished.”
When it comes to mitigating two-factor authentication bypass it is both as easy as it sounds and not, simultaneously. I say this because the evolution of the threat, as exampled by the Rockstar 2FA exploit kit, is such that you can never be too careful. However, as a staunch believer in the notion that anything erecting barriers to usability in the name of better security is doomed to fail, I can’t agree with recent advice from the Atlanta office of the Federal Bureau of Investigation which suggested people “recognize the risks of clicking the “Remember Me” checkbox when logging into a website.” This suggests to me that the Feds want people to ignore the very thing that makes use of so many sites and services, well, usable. Session cookies are generated when you log in to a site, and you opt to tick the “remember this device” checkbox to save you the hassle of having to log in, complete with 2FA, every time you return.
Because such attacks nearly always begin with a phishing email or message that is aimed at redirect you to a cloned account login page, you should do all you can to avoid falling victim. See what Paul Walsh of MetaCert has to say about that in a moment, but a Google spokesperson said there are “numerous protections to combat such attacks, including passkeys, which substantially reduce the impact of phishing and other social engineering attacks.” Such security keys are known to be a stronger protection against “automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication,” according Google.
QR Codes Deployed To Direct Victims To Rockstar 2FA Landing Site
The Trustwave SpiderLabs researchers also warned that the threat actors are known to have employed the abuse of QR codes, something I unapologetically refuse to call quishing, to embed the landing site URL in the code itself. “This method often bypasses traditional detection systems that focus on visible links,” the researchers said. One example shown was a PDF document that was designed to mimic a DocuSign one and contained only a QR code and instructions two use a smartphone camera to electronically sign the document.
The SpiderLabs researchers noted attacks utilizing Rockstar 2FA often leverage multi-stage phishing chains, using many phases in the process. “This layered approach exploits various legitimate services to host malicious links or act as redirectors designed to evade detection further and conceal phishing pages from email gateways,” they said.
Paul Walsh, CEO at MetaCert, co-founded the W3C Mobile Web Initiative in 2004, tasked with refining Tim Berners-Lee’s vision of “One Web.” Walsh was also head of the New Technologies Team at AOL during the 90s, one of the first people who hackers impersonated on the web and helped launch AOL’s instant messenger client AIM. Walsh fervently believes that the ongoing war against consumers has nothing to do with phishing evolving or getting more sophisticated and everything to do with threat intelligence being fundamentally flawed for phishing protection. “Relying on historical data is useless,” Walsh said, “new URLs evade existing intelligence by design.” Except for reverse-proxy techniques discovered in 2017, Walsh insisted, “criminals are not using new methods—they’re simply exploiting gaps in outdated security strategies.” More to the point, and this is critical, Walsh said that “people are not to blame for phishing; bad security is to blame.” Advising people to trust “trusted sources” is misguided and counterproductive, according to Walsh, as is link hovering as any half-decent phishing campaign can hide the true destination convincingly. “Telling people to verify sender identity is equally useless,” Walsh said, as “most phishing can perfectly mimic familiar contacts.” MetaCert’s zero trust approach, Walsh said, treats every URL as untrusted until explicitly verified as safe.
You can read the full Trustwave SpiderLabs report on phishing-as-a-service kits, including Rockstar 2FA, which is in three highly detailed parts, here, here and here. I heartily recommend that you do as it’s both an informative read and an important one if you want to keep on top of what the threat actors are up to in this evolving sector of the threatscape.
