FlowerStorm Emerges After Rockstar2FA’s Closure: Here is a quick look at what to Know.

In late November 2024, the cybersecurity world was shaken by the sudden shutdown of Rockstar2FA, a popular phishing-as-a-service (PhaaS) platform. This disruption left a significant void in the cybercrime landscape, which was quickly filled by a new player: FlowerStorm.

The Rise of FlowerStorm

FlowerStorm emerged online in June 2024 and rapidly gained traction after Rockstar2FA’s collapse. Researchers from Sophos noted that FlowerStorm shares many features with its predecessor, including advanced evasion mechanisms, a user-friendly panel, and numerous phishing options. The service sells access to cybercriminals for $200 for two weeks, making it an attractive alternative for those previously using Rockstar2FA.

Similarities and Differences

While Rockstar2FA used automotive themes for its phishing pages, FlowerStorm shifted to botanical themes, featuring terms like “Flower,” “Sprout,” “Blossom,” and “Leaf” in its HTML page titles. Despite the thematic change, the underlying design and functionality remain consistent. Both platforms support email validation and multi-factor authentication (MFA) through their backend systems.

Potential Rebranding

Sophos researchers Sean Gallagher and Mark Parsons suggested that FlowerStorm might be a rebrand of Rockstar2FA, possibly to reduce exposure and avoid law enforcement scrutiny. The HTML structure of their phishing pages is highly similar, featuring random text in comments and Cloudflare “turnstile” security features. The credential harvesting methods also align closely, using fields like email, pass, and session tracking tokens.

Targeted Sectors and Geographical Impact

FlowerStorm has shown a significant impact on organizations and users, with roughly 63% of the targeted organizations and 84% of the users based in the United States. The most targeted sectors include services (33%), manufacturing (21%), retail (12%), and financial services (8%). This widespread targeting highlights the need for robust cybersecurity measures to protect against such phishing attacks.

Protective Measures

To safeguard against phishing attacks facilitated by services like FlowerStorm, organizations are advised to use multi-factor authentication (MFA) with AiTM-resistant FIDO2 tokens, deploy email filtering solutions, and use DNS filtering to block access to suspicious domains. These measures can help mitigate the risk of credential theft and subsequent cyberattacks.

Conclusion

The emergence of FlowerStorm as a replacement for Rockstar2FA underscores the ever-evolving nature of cybercrime and the need for continuous vigilance in cybersecurity practices. As cybercriminals adapt and rebrand their operations, organizations must remain proactive in implementing robust security measures to protect their assets and data.

By staying informed and adopting comprehensive security strategies, businesses can better defend against the threats posed by phishing-as-a-service platforms like FlowerStorm.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it