The phishing-as-a-service (PhaaS) platform "FlowerStorm" has gained traction after the Rockstar2FA service suffered a partial collapse in November 2024. Rockstar2FA previously facilitated large-scale attacks targeting Microsoft 365 credentials, offering phishing tools for $200 per two weeks. Researchers from Sophos suggest FlowerStorm may be a rebrand of Rockstar2FA due to overlapping features and methodologies.
Both platforms mimic legitimate login pages, use similar phishing page structures, and rely on backend servers hosted on .ru and .com domains. Despite aesthetic changes, such as FlowerStorm adopting botanical themes over Rockstar2FA's automotive style, their credential harvesting techniques and scalability remain consistent.
Sophos found evidence of operational similarities, such as synchronized domain registration patterns and backend exposure issues, but cannot conclusively link the two services. FlowerStorm's rise poses significant risks to users, with 84% of its targets in the U.S., particularly in services, manufacturing, retail, and finance sectors.
To mitigate these threats, organizations are advised to implement phishing-resistant MFA solutions, deploy email and DNS filtering, and block access to suspicious domains.
Read more...