- Platforms utilize phishing portals that mimic legitimate login pages.
- The HTML structure of their phishing pages is highly similar. While the theming had notable differences (automotive vs. botanical), the underlying design structure remained consistent.
- Credential harvesting methods align closely and support email validation and MFA authentication through their backend.
- Platforms utilize similar domain registration and hosting habits, mainly using .ru and .com top-level domains and Cloudflare services.
- At its peak, Rockstar2FA managed over 2,000 domains. After Rockstar2FA's collapse, FlowerStorm saw rapid growth, which suggests a shared framework
- Avoid clicking links and opening attachments in unsolicited emails.
- Confirm requests from senders via contact information obtained from verified and official sources.
- Type official website URLs into browsers manually.
- Facilitate user awareness training to include these types of phishing-based techniques.
- Maintain robust and up-to-date endpoint detection tools on every endpoint.
- Consider leveraging behavior-based detection tools rather than signature-based tools.
- Report malicious activity to the FBI's IC3 and NJCCIC.
