New Phishing Framework Attacking Multiple Brands To Steal Customer Logins

A sophisticated new phishing framework dubbed “FlowerStorm” has emerged, targeting multiple brands simultaneously to steal customer login credentials.

Cybersecurity researchers at CloudSEK have uncovered this alarming development, which poses a significant threat to organizations and consumers alike.

FlowerStorm, active since June 2024, operates as a Phishing-as-a-Service (PhaaS) platform, providing cybercriminals with advanced tools to conduct large-scale adversary-in-the-middle (AiTM) attacks.

The framework’s key feature is its ability to dynamically adapt phishing pages to impersonate various brands by leveraging customizable URLs.

Researchers at CloudSEK discovered that the phishing pages are hosted on Cloudflare’s workers.dev platform, adding a layer of legitimacy to the attacks.

What sets FlowerStorm apart is its use of targeted email domains to generate realistic backgrounds, effectively deceiving users into surrendering their credentials.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Multi-Stage Attack Process

The technical analysis reveals that the framework employs a multi-stage attack process:-

  1. Victims are directed to a generic-looking webmail login page hosted on a URL like workers-playground-broken-king-d18b.supermissions.workers.dev.
A Generic Looking Phishing Page to Steal Credentials (Source – CloudSEK)
  1. The attackers customize the URL by appending a hashtag followed by the target’s email domain (e.g., #[email protected]).
The generic phishing webpage turned into a fake google login page (Source – CloudSEK)
  1. FlowerStorm then captures a screenshot of the legitimate domain associated with the email, using it as the background for the phishing site.
Phishing site takes the screenshot of legitimate website and make it the background (Source – CloudSEK)
  1. Once victims enter their credentials, the information is exfiltrated to a remote server controlled by the attackers.
Exfiltration of data from the impersonated phishing page to a remote server (Source – CloudSEK)

The framework’s sophistication extends to its use of obfuscated JavaScript (filename: myscr939830.js) to evade detection.

This script prevents users from viewing the page source and employs various techniques to hinder analysis, such as blocking ctrl+s, ctrl+u, and right-click functionalities.

FlowerStorm shares similarities with the now-defunct Rockstar2FA platform, including comparable HTML structures and the use of Cloudflare turnstile keys. This suggests a potential shared origin or operational collaboration between the two frameworks.

The emergence of FlowerStorm coincides with a significant increase in phishing attacks.

CloudSEK’s research indicates a 692% surge in Black Friday and Cyber Monday themed phishing attacks during the 2024 holiday season compared to early November.

To mitigate the risks posed by FlowerStorm and similar threats, organizations are advised to:-

  1. Implement comprehensive security awareness training for employees.
  2. Deploy advanced phishing detection tools capable of identifying novel social engineering techniques.
  3. Enforce robust multi-factor authentication (MFA) policies.
  4. Regularly audit systems for vulnerabilities and monitor for unusual account activity.
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.